Hi Stefan,
On Fri, 2021-12-10 at 14:47 -0500, Stefan Berger wrote:
> From: Mehmet Kayaalp <mkayaalp@xxxxxxxxxxxxxxxxxx>
>
> This patch adds an rbtree to the IMA namespace structure that stores a
> namespaced version of iint->flags in ns_status struct. Similar to the
> integrity_iint_cache, both the iint ns_struct are looked up using the
> inode pointer value. The lookup, allocate, and insertion code is also
> similar, except ns_struct is not free'd when the inode is free'd.
> Instead, the lookup verifies the i_ino and i_generation fields are also a
> match.
>
> Signed-off-by: Mehmet Kayaalp <mkayaalp@xxxxxxxxxxxxxxxxxx>
> Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
Again, hopefully it isn't premature for generic comments:
- Function/inline comments would be appreciated, especially when the
code differs from the original code. Example below.
> diff --git a/security/integrity/ima/ima_init_ima_ns.c b/security/integrity/ima/ima_init_ima_ns.c
> index f820686baf9f..08781a44f7bf 100644
> --- a/security/integrity/ima/ima_init_ima_ns.c
> +++ b/security/integrity/ima/ima_init_ima_ns.c
> @@ -14,11 +14,18 @@
> #include <linux/user_namespace.h>
> #include <linux/ima.h>
> #include <linux/proc_ns.h>
> +#include <linux/slab.h>
>
> #include "ima.h"
>
> int ima_init_namespace(struct ima_namespace *ns)
> {
> + ns->ns_status_tree = RB_ROOT;
> + rwlock_init(&ns->ns_status_lock);
> + ns->ns_status_cache = KMEM_CACHE(ns_status, SLAB_PANIC);
> + if (!ns->ns_status_cache)
> + return -ENOMEM;
> +
For example, using KMEM_CACHE() is probably correct here, at least for
now, but it is different than the original code which uses
kmem_cache_alloc() with init_once(). Memory cleanup is done on free,
before it is re-used.
thanks,
Mimi
> return 0;
> }
