'[PATCHv2 2/2] ima: prevent unnecessary policy checking'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-security-module
Subject:    [PATCHv2 2/2] ima: prevent unnecessary policy checking
From:       Dmitry Kasatkin <d.kasatkin () samsung ! com>
Date:       2014-03-28 11:33:05
Message-ID: 5c8df1313ccfa4e05b3c80363b76f0544162cc18.1396006270.git.d.kasatkin () samsung ! com
[Download RAW message or body]

ima_rdwr_violation_check is called for every file openning.
The function checks the policy even when violation condition
is not met. It causes unnecessary policy checking.

This patch does policy checking only if violation condition is met.

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
---
 security/integrity/ima/ima_main.c | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index efa1ad2..24c4f5e 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -81,7 +81,6 @@ static void ima_rdwr_violation_check(struct file *file)
 {
 	struct inode *inode = file_inode(file);
 	fmode_t mode = file->f_mode;
-	int must_measure;
 	bool send_tomtou = false, send_writers = false;
 	char *pathbuf = NULL;
 	const char *pathname;
@@ -99,16 +98,12 @@ static void ima_rdwr_violation_check(struct file *file)
 			if (iint && (iint->flags & IMA_MEASURE))
 				send_tomtou = true;
 		}
-		goto out;
+	} else {
+		if (atomic_read(&inode->i_writecount) &&
+				ima_must_measure(inode, MAY_READ, FILE_CHECK))
+			send_writers = true;
 	}
 
-	must_measure = ima_must_measure(inode, MAY_READ, FILE_CHECK);
-	if (!must_measure)
-		goto out;
-
-	if (atomic_read(&inode->i_writecount) > 0)
-		send_writers = true;
-out:
 	mutex_unlock(&inode->i_mutex);
 
 	if (!send_tomtou && !send_writers)
-- 
1.8.3.2

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic