Re: [RFC PATCH 1/2] Fix 1 untangling ima mess, part 2 with counters

From: Al Viro
Date: Sat Jan 23 2010 - 18:07:50 EST

On Wed, Jan 20, 2010 at 03:35:40PM -0500, Mimi Zohar wrote:
> The "Untangling ima mess, part 2 with counters" patch messed
> up the counters. Based on conversations with Al Viro, this patch
> streamlines ima_path_check() by removing the counter maintaince.
> The counters are now updated independently, from measuring the file,
> in __dentry_open() and alloc_file() by calling ima_counts_get().
> ima_path_check() is called from nfsd and do_filp_open().
> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxx>
> ---
> fs/namei.c | 4 +-
> include/linux/ima.h | 4 +-
> security/integrity/ima/ima_main.c | 234 ++++++++++++++-----------------------

a) where's the nfsd part?
b) will that work if we open file with O_WRONLY?

nfsd side of things is non-trivial. Note that you have that thing called
an awful lot; nfsd_permission() is called by fh_verify(). For which
operations do you really want it to happen? Should it just migrate to
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at