Thread (82 messages) 82 messages, 4 authors, 2022-02-24

Re: [PATCH v10 10/27] ima: Move IMA securityfs files into ima_namespace or onto stack

From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2022-02-17 14:45:30
Also in: linux-integrity, lkml

On Tue, 2022-02-01 at 15:37 -0500, Stefan Berger wrote:
Earlier we simplified how dentry creation and deletion is manged in
securityfs. This allows us to move IMA securityfs files from global
variables directly into ima_fs_ns_init() itself. We can now rely on
those dentries to be cleaned up when the securityfs instance is cleaned
when the last reference to it is dropped.

Things are slightly different for the initial IMA namespace. In contrast
to non-initial IMA namespaces it has pinning logic binding the lifetime
of the securityfs superblock to created dentries. We need to keep this
behavior to not regress userspace. Since IMA never removes most of the
securityfs files the initial securityfs instance stays pinned. This also
means even for the initial IMA namespace we don't need to keep
references to these dentries anywhere.

The ima_policy file is the exception since IMA can end up removing it
on systems that don't allow reading or extending the IMA custom policy.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Acked-by: Christian Brauner <brauner@kernel.org>
Really nicely worded patch description.  Thanks!

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help