Commit b882fae2 authored by Dmitry Kasatkin's avatar Dmitry Kasatkin Committed by Mimi Zohar

ima: prevent unnecessary policy checking

ima_rdwr_violation_check is called for every file openning.
The function checks the policy even when violation condition
is not met. It causes unnecessary policy checking.

This patch does policy checking only if violation condition is met.

Changelog:
- check writecount is greater than zero (Mimi)
Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
parent 3e38df56
...@@ -81,7 +81,6 @@ static void ima_rdwr_violation_check(struct file *file) ...@@ -81,7 +81,6 @@ static void ima_rdwr_violation_check(struct file *file)
{ {
struct inode *inode = file_inode(file); struct inode *inode = file_inode(file);
fmode_t mode = file->f_mode; fmode_t mode = file->f_mode;
int must_measure;
bool send_tomtou = false, send_writers = false; bool send_tomtou = false, send_writers = false;
char *pathbuf = NULL; char *pathbuf = NULL;
const char *pathname; const char *pathname;
...@@ -94,16 +93,12 @@ static void ima_rdwr_violation_check(struct file *file) ...@@ -94,16 +93,12 @@ static void ima_rdwr_violation_check(struct file *file)
if (mode & FMODE_WRITE) { if (mode & FMODE_WRITE) {
if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) if (atomic_read(&inode->i_readcount) && IS_IMA(inode))
send_tomtou = true; send_tomtou = true;
goto out; } else {
if ((atomic_read(&inode->i_writecount) > 0) &&
ima_must_measure(inode, MAY_READ, FILE_CHECK))
send_writers = true;
} }
must_measure = ima_must_measure(inode, MAY_READ, FILE_CHECK);
if (!must_measure)
goto out;
if (atomic_read(&inode->i_writecount) > 0)
send_writers = true;
out:
mutex_unlock(&inode->i_mutex); mutex_unlock(&inode->i_mutex);
if (!send_tomtou && !send_writers) if (!send_tomtou && !send_writers)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment