mirror of
https://github.com/linuxkit/linuxkit.git
synced 2025-10-02 07:58:34 +00:00
d80e880f28
This is a project with a v1 of the IMA namespacing patches. See the readme for details on use. Signed-off-by: Tycho Andersen <tycho@docker.com>
71 lines
2.2 KiB
Diff
71 lines
2.2 KiB
Diff
From 825422c8d524f3500b7a09cda2cf39e28b4999ea Mon Sep 17 00:00:00 2001
|
|
From: Guilherme Magalhaes <guilherme.magalhaes@hpe.com>
|
|
Date: Tue, 9 May 2017 17:31:22 -0300
|
|
Subject: [PATCH 09/11] ima: delete namespace policy securityfs file in
|
|
write-once mode
|
|
|
|
When policy file is written and write-once is enabled, the policy file
|
|
must be deleted. Select the namespace policy structure to get the correct
|
|
policy file descriptor.
|
|
|
|
Signed-off-by: Guilherme Magalhaes <guilherme.magalhaes@hpe.com>
|
|
---
|
|
security/integrity/ima/ima_fs.c | 27 +++++++++++++++++++++++++--
|
|
1 file changed, 25 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
|
|
index 65c43e7..94e89fe 100644
|
|
--- a/security/integrity/ima/ima_fs.c
|
|
+++ b/security/integrity/ima/ima_fs.c
|
|
@@ -575,6 +575,7 @@ static int ima_open_policy(struct inode *inode, struct file *filp)
|
|
static int ima_release_policy(struct inode *inode, struct file *file)
|
|
{
|
|
const char *cause = valid_policy ? "completed" : "failed";
|
|
+ struct ima_ns_policy *ins;
|
|
|
|
if ((file->f_flags & O_ACCMODE) == O_RDONLY)
|
|
return seq_release(inode, file);
|
|
@@ -595,15 +596,37 @@ static int ima_release_policy(struct inode *inode, struct file *file)
|
|
return 0;
|
|
}
|
|
|
|
+ /* get the namespace id from file->inode (policy file inode).
|
|
+ * We also need to synchronize this operation with concurrent namespace
|
|
+ * releasing. */
|
|
+ ima_namespace_lock();
|
|
+ ins = ima_get_namespace_policy_from_inode(inode);
|
|
+ if (!ins) {
|
|
+ /* the namespace is not valid anymore, discard new policy
|
|
+ * rules and exit */
|
|
+ ima_delete_rules();
|
|
+ valid_policy = 1;
|
|
+ clear_bit(IMA_FS_BUSY, &ima_fs_flags);
|
|
+ ima_namespace_unlock();
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
ima_update_policy();
|
|
#ifndef CONFIG_IMA_WRITE_POLICY
|
|
- securityfs_remove(ima_policy_initial_ns);
|
|
- ima_policy = NULL;
|
|
+ if (ins == &ima_initial_namespace_policy) {
|
|
+ securityfs_remove(ima_policy_initial_ns);
|
|
+ ima_policy_initial_ns = NULL;
|
|
+ } else {
|
|
+ securityfs_remove(ins->policy_dentry);
|
|
+ ins->policy_dentry = NULL;
|
|
+ }
|
|
#endif
|
|
|
|
/* always clear the busy flag so other namespaces can use it */
|
|
clear_bit(IMA_FS_BUSY, &ima_fs_flags);
|
|
|
|
+ ima_namespace_unlock();
|
|
+
|
|
return 0;
|
|
}
|
|
|
|
--
|
|
2.9.3
|
|
|