Received: by 10.223.176.5 with SMTP id f5csp3163265wra; Mon, 29 Jan 2018 09:41:36 -0800 (PST) X-Google-Smtp-Source: AH8x226pZdhVAjdoWJCl9DDtUVo6kHIZGE9SqCPmrWgrXx1vWrnimGyElhA/0M04MK1HB23iH4qP X-Received: by 10.99.51.203 with SMTP id z194mr20904535pgz.217.1517247696088; Mon, 29 Jan 2018 09:41:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517247696; cv=none; d=google.com; s=arc-20160816; b=T5AKaMoOYrsmJXvyfQma9Ll4CAQO8lmKorE+BQf43x/4HxKWWU4Zqaa8p2cPzHdQgQ G4aOTwyF0yXbMdwzCtccSIAlaSh1OzLa1+1QWbBNRqLWDL2JrL8LK/sTeID26iwUZxul O+4gegpOIDnIcmmd03tbgyhCOJ1f2VmnBk80VLtkQP2yMSFzoEGgr0M3SQOdKLJvRppx 6bwo9E7uLVnYnbcOl0zNPEUMMfd+Cn5r2eKhMTPHmNNBfXQwag2JaoKX6a/ssUvsFjfr X1vN/ePoGsMUMQoI6DFmibcflbrScWxve1hcW4a6Wxy4M09xLTnWvarUvOFhABCZjeJ0 Na8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=K3cKf/qcHtB+kQdZcV8+a/nFSOK+pQMux2HRL6lCe00=; b=P1Cxr91T8AqFNGobVuHxVJaEY5YE98x31kbMIRSkXAdn7ePg8bfMBCCW+blzlyrmCZ oPySkVXcf5hmSnxWhIgtFPgW0gALW/hLeswIPrci5iBTIzLzuiXrcP72we8CpSfHVbDY yTsJTwltwdC6nsBhzHg05iPGm7zJjZbjYBusUEYly4gs4y6ZbThcJiWelVX3OzExBDHm FyFfxvThPKuegPrtp7G30tYJerBZlnfHin2skqGqVbDl5jQ9/ca8EgJRkNJZtlIVH7p3 OWbm55pzKxYPc+Z/DCNeDZdSppCWrogfSot+FBS8+CBgM4g3j49fx0VqvbZmLmN4PiNC fM+g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kinvolk.io header.s=google header.b=RNak4gtV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y8-v6si10045068pli.708.2018.01.29.09.41.21; Mon, 29 Jan 2018 09:41:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kinvolk.io header.s=google header.b=RNak4gtV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751439AbeA2RkU (ORCPT + 99 others); Mon, 29 Jan 2018 12:40:20 -0500 Received: from mail-yw0-f195.google.com ([209.85.161.195]:45346 "EHLO mail-yw0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751262AbeA2RkS (ORCPT ); Mon, 29 Jan 2018 12:40:18 -0500 Received: by mail-yw0-f195.google.com with SMTP id b16so154426ywh.12 for ; Mon, 29 Jan 2018 09:40:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kinvolk.io; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=K3cKf/qcHtB+kQdZcV8+a/nFSOK+pQMux2HRL6lCe00=; b=RNak4gtVkxfcYEjqKzy9LQRLInHPYZlFWX8px6ZvLCBTMYhaiKXNs+1mpmDbGJeb39 MwSnXo6Rt+Q3XvFDHa0aqJpMJLAToLVc5jcE1BDrQ+HhiMitM83Re2EZy3VMbS+Xsz7b /Cm0834me7nJjjMXptRUtAJxSJEW15OWCQCRM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=K3cKf/qcHtB+kQdZcV8+a/nFSOK+pQMux2HRL6lCe00=; b=YU8EKTRoaKKZBEOryPutCvhieEHGFafQoE0lbG4liXeRPwTHt9hsHhiJ8yp9sixI1q akX8eiy9m+opQClRU8LEC7uXYmnOqL6w0VrDUVTZQxYwLwBozAnC7/VNyM8cBFoZwSZF Rzkos58qlqDS64LLoFyeJqLGLUjOVVj5hqgVUDXyvEZKyXu0rgRpHY/ICm7Rg7/OqHvA zptYB+QbRhcK+uX5RsYoTQk/i1rrgaSGe+5icSPll6RHnZ7f2ASYOMIWyd+JK110umKp UcpH5CPeVgzy333bdh0so2/z3rkNvCCN8DLxutdK75w7oj419vZ/obVMwtle2mrbw/dL 2BUw== X-Gm-Message-State: AKwxytdnbWkPz3ISQfvMwZHvtygiArPNEzG1xkOvP0HKxlscNMZRT8Oq 21F8DehAw1lA/9gUZUvoIwHR+66wdLHFAcoU/Cxfew== X-Received: by 10.129.62.11 with SMTP id l11mr17375711ywa.244.1517247617339; Mon, 29 Jan 2018 09:40:17 -0800 (PST) MIME-Version: 1.0 Received: by 10.37.185.144 with HTTP; Mon, 29 Jan 2018 09:40:16 -0800 (PST) In-Reply-To: <1517243585.29187.546.camel@linux.vnet.ibm.com> References: <20180122162452.8756-1-alban@kinvolk.io> <20180122162452.8756-3-alban@kinvolk.io> <20180124175234.GA29811@mail.hallyn.com> <1516881401.3751.37.camel@linux.vnet.ibm.com> <1517243585.29187.546.camel@linux.vnet.ibm.com> From: Dongsu Park Date: Mon, 29 Jan 2018 18:40:16 +0100 Message-ID: Subject: Re: [RFC PATCH v3 2/2] ima: force re-appraisal on filesystems with FS_IMA_NO_CACHE To: Mimi Zohar Cc: "Serge E. Hallyn" , Alban Crequy , Alban Crequy , =?UTF-8?Q?Iago_L=C3=B3pez_Galeiras?= , LKML , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, Miklos Szeredi , Alexander Viro , dmitry.kasatkin@gmail.com, James Morris , Seth Forshee , hch@infradead.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Mimi, On Mon, Jan 29, 2018 at 5:33 PM, Mimi Zohar wrote: > Hi Alban, > > On Thu, 2018-01-25 at 06:56 -0500, Mimi Zohar wrote: >> > > @@ -228,9 +229,28 @@ static int process_measurement(struct file *file, char *buf, loff_t size, >> > > IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | >> > > IMA_ACTION_FLAGS); >> > > >> > > - if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags)) >> > > - /* reset all flags if ima_inode_setxattr was called */ >> > > + /* >> > > + * Reset the measure, appraise and audit cached flags either if: >> > > + * - ima_inode_setxattr was called, or >> > > + * - based on filesystem feature flag >> > > + * forcing the file to be re-evaluated. >> > > + */ >> > > + if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags)) { >> > > iint->flags &= ~IMA_DONE_MASK; >> > > + } else if (inode->i_sb->s_type->fs_flags & FS_IMA_NO_CACHE) { >> > > + if (action & IMA_MEASURE) { >> > > + iint->measured_pcrs = 0; >> > > + iint->flags &= >> > > + ~(IMA_COLLECTED | IMA_MEASURE | IMA_MEASURED); >> > > + } >> > > + if (action & IMA_APPRAISE) >> > > + iint->flags &= >> > > + ~(IMA_COLLECTED | IMA_APPRAISE | IMA_APPRAISED | >> > > + IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK); >> > > + if (action & IMA_AUDIT) >> > > + iint->flags &= >> > > + ~(IMA_COLLECTED | IMA_AUDIT | IMA_AUDITED); >> > > + } >> > > >> >> Alban, I don't know what I was thinking, but this can be simplified >> like for the IMA_CHANGE_XATTR case. Except in the IMA_CHANGE_XATTR >> case, "measured_pcrs" was already reset, whereas in this case >> "measured_pcrs" needs to be reset. > > Did you get a chance to make the change and test it? Alban has been on holidays, so he will be back on Wednesday or so. So I'll try to understand what you meant in the last email. As IMA_DONE_MASK contains all other bitmasks, it's possible to optimize the code like this: if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags)) { iint->flags &= ~IMA_DONE_MASK; } else if (inode->i_sb->s_type->fs_flags & FS_IMA_NO_CACHE) { iint->flags &= ~IMA_DONE_MASK; if (action & IMA_MEASURE) iint->measured_pcrs = 0; } Is that what you want to see? Please let me know if it's not. Tomorrow I will try to test with a new patch. Thanks, Dongsu > Mimi >