Re: [PATCH v4 1/3] Enable multiple writes to the IMA policy;

Mimi Zohar Mon, 19 Oct 2015 15:30:00 -0700

On Mon, 2015-10-19 at 14:21 -0400, Mimi Zohar wrote:
> On Fri, 2015-10-16 at 22:31 +0300, Petko Manolov wrote:


> > diff --git a/security/integrity/ima/ima_fs.c 
> > b/security/integrity/ima/ima_fs.c
> > index 816d175..a3cf5c0 100644
> > --- a/security/integrity/ima/ima_fs.c
> > +++ b/security/integrity/ima/ima_fs.c
> > @@ -25,6 +25,8 @@
> > 
> >  #include "ima.h"
> > 
> > +static DEFINE_MUTEX(ima_write_mutex);
> > +
> >  static int valid_policy = 1;
> >  #define TMPBUFLEN 12
> >  static ssize_t ima_show_htable_value(char __user *buf, size_t count,
> > @@ -261,6 +263,11 @@ static ssize_t ima_write_policy(struct file *file, 
> > const char __user *buf,
> >  {
> >     char *data = NULL;
> >     ssize_t result;
> > +   int res;
> > +
> > +   res = mutex_lock_interruptible(&ima_write_mutex);
> > +   if (res)
> > +           return res;
> > 
> >     if (datalen >= PAGE_SIZE)
> >             datalen = PAGE_SIZE - 1;
> > @@ -286,6 +293,8 @@ out:
> >     if (result < 0)
> >             valid_policy = 0;
> >     kfree(data);
> > +   mutex_unlock(&ima_write_mutex);
> > +
> >     return result;
> >  }
> > 
> > @@ -337,8 +346,12 @@ static int ima_release_policy(struct inode *inode, 
> > struct file *file)
> >             return 0;
> >     }
> >     ima_update_policy();
> > +#ifndef    CONFIG_IMA_WRITE_POLICY
> >     securityfs_remove(ima_policy);
> >     ima_policy = NULL;
> > +#else
> > +   clear_bit(IMA_FS_BUSY, &ima_fs_flags);
> > +#endif
> >     return 0;
> >  }
> > 

The IMA_FS_BUSY flag needs to be cleared, like here, above for !
valid_policy.

Mimi

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v4 1/3] Enable multiple writes to the IMA policy;

Reply via email to