summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorDmitry Kasatkin <d.kasatkin@samsung.com>2014-03-27 08:54:11 (GMT)
committerMimi Zohar <zohar@linux.vnet.ibm.com>2014-06-12 21:58:06 (GMT)
commitb882fae2d3a832fdcdc194c9f358390b1efca8e7 (patch)
tree2f9f2a00683176e02fee1acd59db3705a9228f35 /security
parent3e38df56e6ef736f3ab516664697b55caa8f3238 (diff)
downloadlinux-b882fae2d3a832fdcdc194c9f358390b1efca8e7.tar.xz
ima: prevent unnecessary policy checking
ima_rdwr_violation_check is called for every file openning. The function checks the policy even when violation condition is not met. It causes unnecessary policy checking. This patch does policy checking only if violation condition is met. Changelog: - check writecount is greater than zero (Mimi) Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security')
-rw-r--r--security/integrity/ima/ima_main.c13
1 files changed, 4 insertions, 9 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index dcc98cf..7689c1e 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -81,7 +81,6 @@ static void ima_rdwr_violation_check(struct file *file)
{
struct inode *inode = file_inode(file);
fmode_t mode = file->f_mode;
- int must_measure;
bool send_tomtou = false, send_writers = false;
char *pathbuf = NULL;
const char *pathname;
@@ -94,16 +93,12 @@ static void ima_rdwr_violation_check(struct file *file)
if (mode & FMODE_WRITE) {
if (atomic_read(&inode->i_readcount) && IS_IMA(inode))
send_tomtou = true;
- goto out;
+ } else {
+ if ((atomic_read(&inode->i_writecount) > 0) &&
+ ima_must_measure(inode, MAY_READ, FILE_CHECK))
+ send_writers = true;
}
- must_measure = ima_must_measure(inode, MAY_READ, FILE_CHECK);
- if (!must_measure)
- goto out;
-
- if (atomic_read(&inode->i_writecount) > 0)
- send_writers = true;
-out:
mutex_unlock(&inode->i_mutex);
if (!send_tomtou && !send_writers)