diff options
author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2011-02-22 10:19:43 -0500 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2011-02-23 16:38:52 -0500 |
commit | 1adace9bb04a5f4a4dea9e642089102661bb0ceb (patch) | |
tree | 2396099935c50d838899a01da1438b8a441619de /security/integrity | |
parent | 854fdd55bfdd56cfc61bd30f2062a9268fcebba6 (diff) |
ima: remove unnecessary call to ima_must_measure
The original ima_must_measure() function based its results on cached
iint information, which required an iint be allocated for all files.
Currently, an iint is allocated only for files in policy. As a result,
for those files in policy, ima_must_measure() is now called twice: once
to determine if the inode is in the measurement policy and, the second
time, to determine if it needs to be measured/re-measured.
The second call to ima_must_measure() unnecessarily checks to see if
the file is in policy. As we already know the file is in policy, this
patch removes the second unnecessary call to ima_must_measure(), removes
the vestige iint parameter, and just checks the iint directly to determine
if the inode has been measured or needs to be measured/re-measured.
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Acked-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'security/integrity')
-rw-r--r-- | security/integrity/ima/ima.h | 3 | ||||
-rw-r--r-- | security/integrity/ima/ima_api.c | 13 | ||||
-rw-r--r-- | security/integrity/ima/ima_main.c | 6 |
3 files changed, 7 insertions, 15 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index ac79032bdf2..08408bd7146 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -110,8 +110,7 @@ struct ima_iint_cache { }; /* LIM API function definitions */ -int ima_must_measure(struct ima_iint_cache *iint, struct inode *inode, - int mask, int function); +int ima_must_measure(struct inode *inode, int mask, int function); int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file); void ima_store_measurement(struct ima_iint_cache *iint, struct file *file, const unsigned char *filename); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index d3963de6003..da36d2c085a 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -105,20 +105,13 @@ err_out: * mask: contains the permission mask * fsmagic: hex value * - * Must be called with iint->mutex held. - * - * Return 0 to measure. Return 1 if already measured. - * For matching a DONT_MEASURE policy, no policy, or other - * error, return an error code. + * Return 0 to measure. For matching a DONT_MEASURE policy, no policy, + * or other error, return an error code. */ -int ima_must_measure(struct ima_iint_cache *iint, struct inode *inode, - int mask, int function) +int ima_must_measure(struct inode *inode, int mask, int function) { int must_measure; - if (iint && iint->flags & IMA_MEASURED) - return 1; - must_measure = ima_match_policy(inode, function, mask); return must_measure ? 0 : -EACCES; } diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 2df90215119..39d66dc2b8e 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -65,7 +65,7 @@ static void ima_rdwr_violation_check(struct file *file) goto out; } - rc = ima_must_measure(NULL, inode, MAY_READ, FILE_CHECK); + rc = ima_must_measure(inode, MAY_READ, FILE_CHECK); if (rc < 0) goto out; @@ -127,7 +127,7 @@ static int process_measurement(struct file *file, const unsigned char *filename, if (!ima_initialized || !S_ISREG(inode->i_mode)) return 0; - rc = ima_must_measure(NULL, inode, mask, function); + rc = ima_must_measure(inode, mask, function); if (rc != 0) return rc; retry: @@ -141,7 +141,7 @@ retry: mutex_lock(&iint->mutex); - rc = ima_must_measure(iint, inode, mask, function); + rc = iint->flags & IMA_MEASURED ? 1 : 0; if (rc != 0) goto out; |