]> git.proxmox.com Git - mirror_ubuntu-eoan-kernel.git/commitdiff
ima: prevent unnecessary policy checking
authorDmitry Kasatkin <d.kasatkin@samsung.com>
Thu, 27 Mar 2014 08:54:11 +0000 (10:54 +0200)
committerMimi Zohar <zohar@linux.vnet.ibm.com>
Thu, 12 Jun 2014 21:58:06 +0000 (17:58 -0400)
ima_rdwr_violation_check is called for every file openning.
The function checks the policy even when violation condition
is not met. It causes unnecessary policy checking.

This patch does policy checking only if violation condition is met.

Changelog:
- check writecount is greater than zero (Mimi)

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
security/integrity/ima/ima_main.c

index dcc98cf542d83fb4768ff3bd2ec113c204c7ecb6..7689c1e21f0927f07aeb4e67c2146013a311a854 100644 (file)
@@ -81,7 +81,6 @@ static void ima_rdwr_violation_check(struct file *file)
 {
        struct inode *inode = file_inode(file);
        fmode_t mode = file->f_mode;
-       int must_measure;
        bool send_tomtou = false, send_writers = false;
        char *pathbuf = NULL;
        const char *pathname;
@@ -94,16 +93,12 @@ static void ima_rdwr_violation_check(struct file *file)
        if (mode & FMODE_WRITE) {
                if (atomic_read(&inode->i_readcount) && IS_IMA(inode))
                        send_tomtou = true;
-               goto out;
+       } else {
+               if ((atomic_read(&inode->i_writecount) > 0) &&
+                   ima_must_measure(inode, MAY_READ, FILE_CHECK))
+                       send_writers = true;
        }
 
-       must_measure = ima_must_measure(inode, MAY_READ, FILE_CHECK);
-       if (!must_measure)
-               goto out;
-
-       if (atomic_read(&inode->i_writecount) > 0)
-               send_writers = true;
-out:
        mutex_unlock(&inode->i_mutex);
 
        if (!send_tomtou && !send_writers)