hugh@xxxxxxxxxxx is about to vanish - please update your address book to hugh.dickins@xxxxxxxxxxxxxx On Wed, 27 May 2009 09:31:52 -0400 Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > An nfsd exported file is opened/closed by the kernel causing the > integrity imbalance message. > > Before a file is opened, there normally is permission checking, which > is done in inode_permission(). However, as integrity checking requires > a dentry and mount point, which is not available in inode_permission(), > the integrity (permission) checking must be called separately. > > In order to detect any missing integrity checking calls, we keep track > of file open/closes. ima_path_check() increments these counts and > does the integrity (permission) checking. As a result, the number of > calls to ima_path_check()/ima_file_free() should be balanced. An extra > call to fput(), indicates the file could have been accessed without first > calling ima_path_check(). > > In nfsv3 permission checking is done once, followed by multiple reads, > which do an open/close for each read. The integrity (permission) checking > call should be in nfsd_permission() after the inode_permission() call, but > as there is no correlation between the number of permission checking and > open calls, the integrity checking call should not increment the counters, > but defer it to when the file is actually opened. > > This patch adds: > - integrity (permission) checking for nfsd exported files in nfsd_permission(). > - a call to increment counts for files opened by nfsd. > > This patch has been updated to return the nfs error types. I have a note here that Hugh had some significant issues with the previous version of this patch. Were these problems addressed? If so, how? Thanks. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
