Re: [PATCH v10 10/27] ima: Move IMA securityfs files into ima_namespace or onto stack
From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2022-02-17 14:45:30
Also in:
linux-integrity, lkml
From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2022-02-17 14:45:30
Also in:
linux-integrity, lkml
On Tue, 2022-02-01 at 15:37 -0500, Stefan Berger wrote:
Earlier we simplified how dentry creation and deletion is manged in securityfs. This allows us to move IMA securityfs files from global variables directly into ima_fs_ns_init() itself. We can now rely on those dentries to be cleaned up when the securityfs instance is cleaned when the last reference to it is dropped. Things are slightly different for the initial IMA namespace. In contrast to non-initial IMA namespaces it has pinning logic binding the lifetime of the securityfs superblock to created dentries. We need to keep this behavior to not regress userspace. Since IMA never removes most of the securityfs files the initial securityfs instance stays pinned. This also means even for the initial IMA namespace we don't need to keep references to these dentries anywhere. The ima_policy file is the exception since IMA can end up removing it on systems that don't allow reading or extending the IMA custom policy. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Acked-by: Christian Brauner <brauner@kernel.org>
Really nicely worded patch description. Thanks! Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>