Re: [PATCH v6 02/17] ima: Define ns_status for storing namespaced iint data

Mimi Zohar <zohar@xxxxxxxxxxxxx> · Wed, 15 Dec 2021 22:53:26 -0500

On Wed, 2021-12-15 at 21:37 -0500, Stefan Berger wrote:
> On 12/15/21 16:12, Mimi Zohar wrote:
> > Hi Stefan,
> >
> > On Fri, 2021-12-10 at 14:47 -0500, Stefan Berger wrote:
> >> From: Mehmet Kayaalp <mkayaalp@xxxxxxxxxxxxxxxxxx>
> >>
> >> This patch adds an rbtree to the IMA namespace structure that stores a
> >> namespaced version of iint->flags in ns_status struct. Similar to the
> >> integrity_iint_cache, both the iint ns_struct are looked up using the
> >> inode pointer value. The lookup, allocate, and insertion code is also
> >> similar, except ns_struct is not free'd when the inode is free'd.
> >> Instead, the lookup verifies the i_ino and i_generation fields are also a
> >> match.
> >>
> >> Signed-off-by: Mehmet Kayaalp <mkayaalp@xxxxxxxxxxxxxxxxxx>
> >> Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
> > Again, hopefully it isn't premature for generic comments:
> >
> > - Function/inline comments would be appreciated, especially when the
> > code differs from the original code.  Example below.
> >
> >> diff --git a/security/integrity/ima/ima_init_ima_ns.c b/security/integrity/ima/ima_init_ima_ns.c
> >> index f820686baf9f..08781a44f7bf 100644
> >> --- a/security/integrity/ima/ima_init_ima_ns.c
> >> +++ b/security/integrity/ima/ima_init_ima_ns.c
> >> @@ -14,11 +14,18 @@
> >>   #include <linux/user_namespace.h>
> >>   #include <linux/ima.h>
> >>   #include <linux/proc_ns.h>
> >> +#include <linux/slab.h>
> >>   
> >>   #include "ima.h"
> >>   
> >>   int ima_init_namespace(struct ima_namespace *ns)
> >>   {
> >> +	ns->ns_status_tree = RB_ROOT;
> >> +	rwlock_init(&ns->ns_status_lock);
> >> +	ns->ns_status_cache = KMEM_CACHE(ns_status, SLAB_PANIC);
> >> +	if (!ns->ns_status_cache)
> >> +		return -ENOMEM;
> >> +
> > For example, using KMEM_CACHE() is probably correct here, at least for
> > now, but it is different than the original code which uses
> > kmem_cache_alloc() with init_once().  Memory cleanup is done on free,

^  kmem_cache_create() with init_once.

> > before it is re-used.
> 
> KMEM_CACHE + kmem_cache_alloc/zalloc() are pretty common. What kind of 
> comment would be helpful here?

The original reason for using kmem_cache_create() with init_once and
deferring memory cleanup to free was for performance.  Using
KMEM_CACHE() and kmem_cache_zalloc() instead could be for simplicity. 
The comment should note the change.

Mimi