On 15-12-01 13:40:05, Mimi Zohar wrote: > On Tue, 2015-12-01 at 18:51 +0200, Petko Manolov wrote: > > > > I'll also send you something resembling a patch about iint invalidation > > based on > > .ima_blacklist updates. I've got a few questions. > > Ok. At some point, we really to take this back online.
Here we go. First off, this is not a real patch rather than my idea in a C form. I feel uncertain about a few points: 0) does keyrings keep a timestamp when created or last updated? David? 1) is jiffies(_64) the best thing to use for timestamping? sched_clock() is known to stop at suspend/sleep. 2) the code below is not optimal - it removes the node from the RB tree and then walks it again to find the right place. Mimi, any objections to restructure integrity_inode_get() for speed when dealing with timestamps? 0) is crucial. If there is no such thing as "time of the last update" for keyrings i guess we'll either have to implement it or use another mechanism to get similar result. --- diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 2de9c82..a1c0062 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -96,15 +96,21 @@ struct integrity_iint_cache *integrity_inode_get(struct inode *inode) struct integrity_iint_cache *iint, *test_iint; iint = integrity_iint_find(inode); - if (iint) + if (iint && (iint->timestamp > blacklist_timestamp)) { return iint; + } else { + write_lock(&integrity_iint_lock); + rb_erase(&iint->rb_node, &integrity_iint_tree); + init_once(iint); + goto init; + } iint = kmem_cache_alloc(iint_cache, GFP_NOFS); if (!iint) return NULL; write_lock(&integrity_iint_lock); - +init: p = &integrity_iint_tree.rb_node; while (*p) { parent = *p; @@ -116,6 +122,7 @@ struct integrity_iint_cache *integrity_inode_get(struct inode *inode) p = &(*p)->rb_right; } + iint->timestamp = jiffies_64; iint->inode = inode; node = &iint->rb_node; inode->i_flags |= S_IMA; diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 5efe2ec..2642bf8 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -105,6 +105,7 @@ struct integrity_iint_cache { struct rb_node rb_node; /* rooted in integrity_iint_tree */ struct inode *inode; /* back pointer to inode in question */ u64 version; /* track inode changes */ + u64 timestamp; /* compare against blacklisted keys */ unsigned long flags; enum integrity_status ima_file_status:4; enum integrity_status ima_mmap_status:4; --- Petko -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html