[RFC 19/20] ima/userns: Define early teardown function for IMA namespace

Stefan Berger <stefanb@xxxxxxxxxxxxx> · Tue, 30 Nov 2021 11:06:53 -0500

Define an early teardown function ima_ns_userns_early_teardown() that
will be needed for early teardown of the securityfs_ns of an IMA name-
space since this holds one additional references to the user namespace.

This function is not called yet since the refcount_teardown variable at
this point is always 0.

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
---
 include/linux/user_namespace.h  | 8 ++++++--
 security/integrity/ima/ima_ns.c | 6 ++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index 505e3b3748b6..6bc178d4c6e2 100644
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
@@ -158,14 +158,18 @@ static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
 extern int create_user_ns(struct cred *new);
 extern int unshare_userns(unsigned long unshare_flags, struct cred **new_cred);
 extern void __put_user_ns(struct user_namespace *ns);
+extern void ima_ns_userns_early_teardown(struct ima_namespace *ima_ns);
 
 static inline void put_user_ns(struct user_namespace *ns)
 {
 	if (ns) {
 		if (refcount_dec_and_test(&ns->ns.count))
 			__put_user_ns(ns);
-		else if (refcount_read(&ns->ns.count) == ns->refcount_teardown)
-			;
+		else if (refcount_read(&ns->ns.count) == ns->refcount_teardown) {
+#ifdef CONFIG_IMA_NS
+			ima_ns_userns_early_teardown(ns->ima_ns);
+#endif
+		}
 	}
 }
 
diff --git a/security/integrity/ima/ima_ns.c b/security/integrity/ima/ima_ns.c
index e4f4cf84a6b5..e7ad52b79f99 100644
--- a/security/integrity/ima/ima_ns.c
+++ b/security/integrity/ima/ima_ns.c
@@ -16,6 +16,7 @@
 #include <linux/mount.h>
 #include <linux/proc_ns.h>
 #include <linux/lsm_hooks.h>
+#include <linux/user_namespace.h>
 
 #include "ima.h"
 
@@ -64,6 +65,11 @@ struct ima_namespace *copy_ima_ns(struct ima_namespace *old_ns,
 	return create_ima_ns(user_ns);
 }
 
+void ima_ns_userns_early_teardown(struct ima_namespace *ns)
+{
+}
+EXPORT_SYMBOL(ima_ns_userns_early_teardown);
+
 static void destroy_ima_ns(struct ima_namespace *ns)
 {
 	pr_debug("DESTROY ima_ns: 0x%p\n", ns);
-- 
2.31.1







