Re: [RFC PATCH 1/2] Fix 1 untangling ima mess, part 2 with counters
From: Al Viro
Date: Sat Jan 23 2010 - 18:07:50 EST
On Wed, Jan 20, 2010 at 03:35:40PM -0500, Mimi Zohar wrote:
> The "Untangling ima mess, part 2 with counters" patch messed
> up the counters. Based on conversations with Al Viro, this patch
> streamlines ima_path_check() by removing the counter maintaince.
> The counters are now updated independently, from measuring the file,
> in __dentry_open() and alloc_file() by calling ima_counts_get().
> ima_path_check() is called from nfsd and do_filp_open().
> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxx>
> fs/namei.c | 4 +-
> include/linux/ima.h | 4 +-
> security/integrity/ima/ima_main.c | 234 ++++++++++++++-----------------------
a) where's the nfsd part?
b) will that work if we open file with O_WRONLY?
nfsd side of things is non-trivial. Note that you have that thing called
an awful lot; nfsd_permission() is called by fh_verify(). For which
operations do you really want it to happen? Should it just migrate to
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/