On 15-12-01 13:40:05, Mimi Zohar wrote:
> On Tue, 2015-12-01 at 18:51 +0200, Petko Manolov wrote:
> >
> > I'll also send you something resembling a patch about iint invalidation
> > based on
> > .ima_blacklist updates. I've got a few questions.
>
> Ok. At some point, we really to take this back online.
Here we go.
First off, this is not a real patch rather than my idea in a C form. I feel
uncertain about a few points:
0) does keyrings keep a timestamp when created or last updated? David?
1) is jiffies(_64) the best thing to use for timestamping?
sched_clock() is known to stop at suspend/sleep.
2) the code below is not optimal - it removes the node from the RB tree
and then walks it again to find the right place. Mimi, any
objections to restructure integrity_inode_get() for speed when
dealing with timestamps?
0) is crucial. If there is no such thing as "time of the last update" for
keyrings i guess we'll either have to implement it or use another mechanism to
get similar result.
---
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 2de9c82..a1c0062 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -96,15 +96,21 @@ struct integrity_iint_cache *integrity_inode_get(struct
inode *inode)
struct integrity_iint_cache *iint, *test_iint;
iint = integrity_iint_find(inode);
- if (iint)
+ if (iint && (iint->timestamp > blacklist_timestamp)) {
return iint;
+ } else {
+ write_lock(&integrity_iint_lock);
+ rb_erase(&iint->rb_node, &integrity_iint_tree);
+ init_once(iint);
+ goto init;
+ }
iint = kmem_cache_alloc(iint_cache, GFP_NOFS);
if (!iint)
return NULL;
write_lock(&integrity_iint_lock);
-
+init:
p = &integrity_iint_tree.rb_node;
while (*p) {
parent = *p;
@@ -116,6 +122,7 @@ struct integrity_iint_cache *integrity_inode_get(struct
inode *inode)
p = &(*p)->rb_right;
}
+ iint->timestamp = jiffies_64;
iint->inode = inode;
node = &iint->rb_node;
inode->i_flags |= S_IMA;
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 5efe2ec..2642bf8 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -105,6 +105,7 @@ struct integrity_iint_cache {
struct rb_node rb_node; /* rooted in integrity_iint_tree */
struct inode *inode; /* back pointer to inode in question */
u64 version; /* track inode changes */
+ u64 timestamp; /* compare against blacklisted keys */
unsigned long flags;
enum integrity_status ima_file_status:4;
enum integrity_status ima_mmap_status:4;
---
Petko
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
