diff options
author | Eric Paris <eparis@redhat.com> | 2010-10-25 14:42:19 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2010-10-26 11:37:19 -0700 |
commit | 196f518128d2ee6e0028b50e6fec0313640db142 (patch) | |
tree | 43a1d76bee477dbaa682233979e86f58a98369f0 /security | |
parent | 64c62f06bef8314a64d3189cb9c78062d54169b3 (diff) | |
download | op-kernel-dev-196f518128d2ee6e0028b50e6fec0313640db142.zip op-kernel-dev-196f518128d2ee6e0028b50e6fec0313640db142.tar.gz |
IMA: explicit IMA i_flag to remove global lock on inode_delete
Currently for every removed inode IMA must take a global lock and search
the IMA rbtree looking for an associated integrity structure. Instead
we explicitly mark an inode when we add an integrity structure so we
only have to take the global lock and do the removal if it exists.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'security')
-rw-r--r-- | security/integrity/ima/ima_iint.c | 16 | ||||
-rw-r--r-- | security/integrity/ima/ima_main.c | 1 |
2 files changed, 12 insertions, 5 deletions
diff --git a/security/integrity/ima/ima_iint.c b/security/integrity/ima/ima_iint.c index 969a1c1..c442e47 100644 --- a/security/integrity/ima/ima_iint.c +++ b/security/integrity/ima/ima_iint.c @@ -59,6 +59,9 @@ struct ima_iint_cache *ima_iint_find(struct inode *inode) { struct ima_iint_cache *iint; + if (!IS_IMA(inode)) + return NULL; + spin_lock(&ima_iint_lock); iint = __ima_iint_find(inode); spin_unlock(&ima_iint_lock); @@ -91,6 +94,7 @@ int ima_inode_alloc(struct inode *inode) new_iint->inode = inode; new_node = &new_iint->rb_node; + mutex_lock(&inode->i_mutex); /* i_flags */ spin_lock(&ima_iint_lock); p = &ima_iint_tree.rb_node; @@ -107,14 +111,17 @@ int ima_inode_alloc(struct inode *inode) goto out_err; } + inode->i_flags |= S_IMA; rb_link_node(new_node, parent, p); rb_insert_color(new_node, &ima_iint_tree); spin_unlock(&ima_iint_lock); + mutex_unlock(&inode->i_mutex); /* i_flags */ return 0; out_err: spin_unlock(&ima_iint_lock); + mutex_unlock(&inode->i_mutex); /* i_flags */ iint_free(new_iint); return rc; @@ -135,15 +142,14 @@ void ima_inode_free(struct inode *inode) inode->i_readcount = 0; + if (!IS_IMA(inode)) + return; + spin_lock(&ima_iint_lock); iint = __ima_iint_find(inode); - if (iint) - rb_erase(&iint->rb_node, &ima_iint_tree); + rb_erase(&iint->rb_node, &ima_iint_tree); spin_unlock(&ima_iint_lock); - if (!iint) - return; - iint_free(iint); } diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 1dccafe..60dd615 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -211,6 +211,7 @@ void ima_file_free(struct file *file) if (!iint_initialized || !S_ISREG(inode->i_mode)) return; + iint = ima_iint_find(inode); if (iint) |