[RFC v2 18/19] ima/userns: Define early teardown function for IMA namespace
From: Stefan Berger
Date: Thu Dec 02 2021 - 21:33:41 EST
Define an early teardown function ima_ns_userns_early_teardown() that
will be needed for early teardown of the namespaced SecurityFS used
by an IMA namespace since this holds one additional references to the
user namespace.
This function is not called yet since the refcount_teardown variable at
this point is always 0.
Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
---
include/linux/user_namespace.h | 8 ++++++--
security/integrity/ima/ima_ns.c | 6 ++++++
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index 505e3b3748b6..8f7870b37c73 100644
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
@@ -158,14 +158,18 @@ static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
extern int create_user_ns(struct cred *new);
extern int unshare_userns(unsigned long unshare_flags, struct cred **new_cred);
extern void __put_user_ns(struct user_namespace *ns);
+extern void ima_ns_userns_early_teardown(struct ima_namespace *ns);
static inline void put_user_ns(struct user_namespace *ns)
{
if (ns) {
if (refcount_dec_and_test(&ns->ns.count))
__put_user_ns(ns);
- else if (refcount_read(&ns->ns.count) == ns->refcount_teardown)
- ;
+ else if (refcount_read(&ns->ns.count) == ns->refcount_teardown) {
+#ifdef CONFIG_IMA_NS
+ ima_ns_userns_early_teardown(ns->ima_ns);
+#endif
+ }
}
}
diff --git a/security/integrity/ima/ima_ns.c b/security/integrity/ima/ima_ns.c
index debe863364fd..4260f96c4eca 100644
--- a/security/integrity/ima/ima_ns.c
+++ b/security/integrity/ima/ima_ns.c
@@ -16,6 +16,7 @@
#include <linux/mount.h>
#include <linux/proc_ns.h>
#include <linux/lsm_hooks.h>
+#include <linux/user_namespace.h>
#include "ima.h"
@@ -64,6 +65,11 @@ struct ima_namespace *copy_ima_ns(struct ima_namespace *old_ns,
return create_ima_ns(user_ns);
}
+void ima_ns_userns_early_teardown(struct ima_namespace *ns)
+{
+}
+EXPORT_SYMBOL(ima_ns_userns_early_teardown);
+
static void destroy_ima_ns(struct ima_namespace *ns)
{
pr_debug("DESTROY ima_ns: 0x%p\n", ns);
--
2.31.1