Re: [PATCH v12 03/26] ima: Define ima_namespace struct and start moving variables into it

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 5/20/22 22:33, Serge E. Hallyn wrote:

diff --git a/security/integrity/ima/ima_queue_keys.c b/security/integrity/ima/ima_queue_keys.c
index 93056c03bf5a..e366a21dd8be 100644
--- a/security/integrity/ima/ima_queue_keys.c
+++ b/security/integrity/ima/ima_queue_keys.c
@@ -10,6 +10,7 @@
#include <linux/user_namespace.h>
  #include <linux/workqueue.h>
+#include <linux/ima.h>
  #include <keys/asymmetric-type.h>
  #include "ima.h"
@@ -42,7 +43,7 @@ static bool timer_expired;
  static void ima_keys_handler(struct work_struct *work)
  {
  	timer_expired = true;
-	ima_process_queued_keys();
+	ima_process_queued_keys(&init_ima_ns);
  }
/*
@@ -130,11 +131,15 @@ bool ima_queue_key(struct key *keyring, const void *payload,
   * This function sets ima_process_keys to true and processes queued keys.
   * From here on keys will be processed right away (not queued).
   */
-void ima_process_queued_keys(void)
+void ima_process_queued_keys(struct ima_namespace *ns)
  {
  	struct ima_key_entry *entry, *tmp;
  	bool process = false;
+ /* only applies to init_ima_ns */

Hm, yes, it seems to, but it should be unreachable with
ns != &init_ima_ns, ever, right?

So it seems better to either not have this hunk at all, (both
here and at ima_keys_handler()) or to actually have a BUG_ON.

Or am I completely misreading the situation?

No, you are right. This function is only calledwith ns = &init_ima_ns at the moment. How about changing it to this here?

if (WARN_ON(ns != &init_ima_ns))
        return;




+	if (ns != &init_ima_ns)
+		return;
+
  	if (ima_process_keys)
  		return;
@@ -159,7 +164,7 @@ void ima_process_queued_keys(void) list_for_each_entry_safe(entry, tmp, &ima_keys, list) {
  		if (!timer_expired)
-			process_buffer_measurement(&init_user_ns, NULL,
+			process_buffer_measurement(ns, &init_user_ns, NULL,
  						   entry->payload,
  						   entry->payload_len,
  						   entry->keyring_name,
--
2.34.1



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux