ima_fs: get rid of lookup-by-dentry stuff

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

lookup_template_data_hash_algo() machinery is used to locate the
matching ima_algo_array[] element at read time; securityfs
allows to stash that into inode->i_private at object creation
time, so there's no need to bother

Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

Al Viro 9 months ago d15ffbbf 22260a99

+16 -66

1 changed file

expand all

security

integrity

ima

ima_fs.c

+16 -66

security/integrity/ima/ima_fs.c

··· 116 116 seq_putc(m, *(char *)data++); 117 117 } 118 118 119 - static struct dentry **ascii_securityfs_measurement_lists __ro_after_init; 120 - static struct dentry **binary_securityfs_measurement_lists __ro_after_init; 121 - static int securityfs_measurement_list_count __ro_after_init; 122 - 123 - static void lookup_template_data_hash_algo(int *algo_idx, enum hash_algo *algo, 124 - struct seq_file *m, 125 - struct dentry **lists) 126 - { 127 - struct dentry *dentry; 128 - int i; 129 - 130 - dentry = file_dentry(m->file); 131 - 132 - for (i = 0; i < securityfs_measurement_list_count; i++) { 133 - if (dentry == lists[i]) { 134 - *algo_idx = i; 135 - *algo = ima_algo_array[i].algo; 136 - break; 137 - } 138 - } 139 - } 140 - 141 119 /* print format: 142 120 * 32bit-le=pcr# 143 121 * char[n]=template digest ··· 138 160 algo_idx = ima_sha1_idx; 139 161 algo = HASH_ALGO_SHA1; 140 162 141 - if (m->file != NULL) 142 - lookup_template_data_hash_algo(&algo_idx, &algo, m, 143 - binary_securityfs_measurement_lists); 163 + if (m->file != NULL) { 164 + algo_idx = (unsigned long)file_inode(m->file)->i_private; 165 + algo = ima_algo_array[algo_idx].algo; 166 + } 144 167 145 168 /* get entry */ 146 169 e = qe->entry; ··· 235 256 algo_idx = ima_sha1_idx; 236 257 algo = HASH_ALGO_SHA1; 237 258 238 - if (m->file != NULL) 239 - lookup_template_data_hash_algo(&algo_idx, &algo, m, 240 - ascii_securityfs_measurement_lists); 259 + if (m->file != NULL) { 260 + algo_idx = (unsigned long)file_inode(m->file)->i_private; 261 + algo = ima_algo_array[algo_idx].algo; 262 + } 241 263 242 264 /* get entry */ 243 265 e = qe->entry; ··· 392 412 }; 393 413 #endif 394 414 395 - static void __init remove_securityfs_measurement_lists(struct dentry **lists) 396 - { 397 - kfree(lists); 398 - } 399 - 400 415 static int __init create_securityfs_measurement_lists(void) 401 416 { 402 - char file_name[NAME_MAX + 1]; 403 - struct dentry *dentry; 404 - u16 algo; 405 - int i; 406 - 407 - securityfs_measurement_list_count = NR_BANKS(ima_tpm_chip); 417 + int count = NR_BANKS(ima_tpm_chip); 408 418 409 419 if (ima_sha1_idx >= NR_BANKS(ima_tpm_chip)) 410 - securityfs_measurement_list_count++; 420 + count++; 411 421 412 - ascii_securityfs_measurement_lists = 413 - kcalloc(securityfs_measurement_list_count, sizeof(struct dentry *), 414 - GFP_KERNEL); 415 - if (!ascii_securityfs_measurement_lists) 416 - return -ENOMEM; 417 - 418 - binary_securityfs_measurement_lists = 419 - kcalloc(securityfs_measurement_list_count, sizeof(struct dentry *), 420 - GFP_KERNEL); 421 - if (!binary_securityfs_measurement_lists) 422 - return -ENOMEM; 423 - 424 - for (i = 0; i < securityfs_measurement_list_count; i++) { 425 - algo = ima_algo_array[i].algo; 422 + for (int i = 0; i < count; i++) { 423 + u16 algo = ima_algo_array[i].algo; 424 + char file_name[NAME_MAX + 1]; 425 + struct dentry *dentry; 426 426 427 427 sprintf(file_name, "ascii_runtime_measurements_%s", 428 428 hash_algo_name[algo]); 429 429 dentry = securityfs_create_file(file_name, S_IRUSR | S_IRGRP, 430 - ima_dir, NULL, 430 + ima_dir, (void *)(uintptr_t)i, 431 431 &ima_ascii_measurements_ops); 432 432 if (IS_ERR(dentry)) 433 433 return PTR_ERR(dentry); 434 434 435 - ascii_securityfs_measurement_lists[i] = dentry; 436 - 437 435 sprintf(file_name, "binary_runtime_measurements_%s", 438 436 hash_algo_name[algo]); 439 437 dentry = securityfs_create_file(file_name, S_IRUSR | S_IRGRP, 440 - ima_dir, NULL, 438 + ima_dir, (void *)(uintptr_t)i, 441 439 &ima_measurements_ops); 442 440 if (IS_ERR(dentry)) 443 441 return PTR_ERR(dentry); 444 - 445 - binary_securityfs_measurement_lists[i] = dentry; 446 442 } 447 443 448 444 return 0; ··· 499 543 struct dentry *dentry; 500 544 int ret; 501 545 502 - ascii_securityfs_measurement_lists = NULL; 503 - binary_securityfs_measurement_lists = NULL; 504 - 505 546 ima_dir = securityfs_create_dir("ima", integrity_dir); 506 547 if (IS_ERR(ima_dir)) 507 548 return PTR_ERR(ima_dir); ··· 553 600 554 601 return 0; 555 602 out: 556 - remove_securityfs_measurement_lists(ascii_securityfs_measurement_lists); 557 - remove_securityfs_measurement_lists(binary_securityfs_measurement_lists); 558 - securityfs_measurement_list_count = 0; 559 603 securityfs_remove(ima_symlink); 560 604 securityfs_remove(ima_dir); 561 605