[PATCH] !!!! HERE BE DRAGONS - COMPLETELY UNTESTED !!!!

From: Christian Brauner
Date: Thu Dec 16 2021 - 08:57:30 EST

Next message: Thierry Reding: "Re: [PATCH v4 02/22] ASoC: dt-bindings: tegra20-i2s: Convert to schema"
Previous message: Thierry Reding: "Re: [PATCH v4 01/22] ASoC: dt-bindings: Add binding for Tegra20 S/PDIF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Lazily initialize ima_ns. This avoids pointlessly wasting memory that is never
needed or used which I think will be the case for most containers.
---
include/linux/ima.h | 2 +-
kernel/user_namespace.c | 6 ------
security/integrity/ima/ima_fs.c | 20 ++++++++++++++++++--
security/integrity/ima/ima_main.c | 5 ++++-
security/integrity/ima/ima_ns.c | 7 ++++++-
5 files changed, 29 insertions(+), 11 deletions(-)

diff --git a/include/linux/ima.h b/include/linux/ima.h
index a2705aa5242a..cb1b94df11a1 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -230,7 +230,7 @@ int create_ima_ns(struct user_namespace *user_ns);

static inline struct ima_namespace *get_current_ns(void)
{
- return current_user_ns()->ima_ns;
+ return smp_load_acquire(&current_user_ns()->ima_ns);
}

static inline int ima_securityfs_init(struct user_namespace *user_ns,
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 6fa01323aac9..653f8fa83b69 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -142,14 +142,8 @@ int create_user_ns(struct cred *new)
if (!setup_userns_sysctls(ns))
goto fail_keyring;

- ret = create_ima_ns(ns);
- if (ret)
- goto fail_sysctls;
-
set_cred_user_ns(new, ns);
return 0;
-fail_sysctls:
- retire_userns_sysctls(ns);
fail_keyring:
#ifdef CONFIG_PERSISTENT_KEYRINGS
key_put(ns->persistent_keyring_register);
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 3b8001ba62e3..971620a22dab 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -378,7 +378,7 @@ static const struct seq_operations ima_policy_seqops = {
static int ima_open_policy(struct inode *inode, struct file *filp)
{
struct user_namespace *user_ns = ima_user_ns_from_file(filp);
- struct ima_namespace *ns = user_ns->ima_ns;
+ struct ima_namespace *ns = user_ns->ima_ns; /* no need to use acquire semantics it's guaranteed to be initialized */

if (!(filp->f_flags & O_WRONLY)) {
#ifndef CONFIG_IMA_READ_POLICY
@@ -450,7 +450,8 @@ static const struct file_operations ima_measure_policy_ops = {

int ima_fs_ns_init(struct user_namespace *user_ns, struct dentry *root)
{
- struct ima_namespace *ns = user_ns->ima_ns;
+ int ret;
+ struct ima_namespace *ns = user_ns->ima_ns; /* no need to use acquire semantics it's guaranteed to be initialized */
struct dentry *int_dir;
struct dentry *ima_dir = NULL;
struct dentry *ima_symlink = NULL;
@@ -459,6 +460,21 @@ int ima_fs_ns_init(struct user_namespace *user_ns, struct dentry *root)
struct dentry *runtime_measurements_count = NULL;
struct dentry *violations = NULL;

+ /*
+ * While multiple superblocks can exist they are keyed by userns in
+ * s_fs_info for securityfs. The first time a userns mounts a
+ * securityfs instance we lazily allocate the ima_namespace for the
+ * userns since that's the only way a userns can meaningfully use ima.
+ * The vfs ensure we're the only one to call fill_super() and hence
+ * ima_fs_ns_init() so we don't need any memory barriers here, i.e.
+ * user_ns->ima_ns can't change while we're in here.
+ */
+ if (!ns) {
+ ret = create_ima_ns(user_ns);
+ if (ret)
+ return ret;
+ }
+
/* FIXME: update when evm and integrity are namespaced */
if (user_ns != &init_user_ns) {
int_dir =
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 4c85a8df3c86..a0e71416561d 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -414,7 +414,10 @@ static int process_measurement(struct ima_namespace *ns,
int ret = 0;

while (user_ns) {
- ns = user_ns->ima_ns;
+ /* the container has not loaded a separate policy (yet) */
+ ns = smp_load_acquire(&user_ns->ima_ns);
+ if (!ns)
+ continue;

ret = __process_measurement(ns, file, cred, secid, buf, size,
mask, func);
diff --git a/security/integrity/ima/ima_ns.c b/security/integrity/ima/ima_ns.c
index d192a80c927f..5c7177b07344 100644
--- a/security/integrity/ima/ima_ns.c
+++ b/security/integrity/ima/ima_ns.c
@@ -31,7 +31,8 @@ int create_ima_ns(struct user_namespace *user_ns)
if (err)
goto fail_free;

- user_ns->ima_ns = ns;
+ /* Pairs with smp_load_acquire() in get_current_ns() and process_measurement(). */
+ smp_store_release(&user_ns->ima_ns, ns);

return 0;

@@ -52,6 +53,10 @@ static void destroy_ima_ns(struct ima_namespace *ns)

void free_ima_ns(struct user_namespace *user_ns)
{
+ /* No need to use acquire semantics as the userns can't be reached
+ * anymore from userspace so either ima_ns has been initialized or it
+ * never has.
+ */
struct ima_namespace *ns = user_ns->ima_ns;

if (WARN_ON(ns == &init_ima_ns))
--
2.30.2

Next message: Thierry Reding: "Re: [PATCH v4 02/22] ASoC: dt-bindings: tegra20-i2s: Convert to schema"
Previous message: Thierry Reding: "Re: [PATCH v4 01/22] ASoC: dt-bindings: Add binding for Tegra20 S/PDIF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]