Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754126AbZFGGIb (ORCPT ); Sun, 7 Jun 2009 02:08:31 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752593AbZFGGIX (ORCPT ); Sun, 7 Jun 2009 02:08:23 -0400 Received: from e4.ny.us.ibm.com ([32.97.182.144]:45640 "EHLO e4.ny.us.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752782AbZFGGIW (ORCPT ); Sun, 7 Jun 2009 02:08:22 -0400 Subject: Re: [PATCH] integrity: fix IMA inode leak From: Mimi Zohar To: Linus Torvalds Cc: Hugh Dickins , Mimi Zohar , Andrew Morton , Serge Hallyn , James Morris , Al Viro , linux-kernel@vger.kernel.org In-Reply-To: References: Content-Type: text/plain Date: Sun, 07 Jun 2009 02:08:21 -0400 Message-Id: <1244354901.3963.23.camel@dyn9002018117.watson.ibm.com> Mime-Version: 1.0 X-Mailer: Evolution 2.24.5 (2.24.5-1.fc10) Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1081 Lines: 30 On Sat, 2009-06-06 at 14:18 -0700, Linus Torvalds wrote: > > On Sat, 6 Jun 2009, Hugh Dickins wrote: > > > > CONFIG_IMA=y inode activity leaks iint_cache and radix_tree_node objects > > until the system runs out of memory. Nowhere is calling ima_inode_free() > > a.k.a. ima_iint_delete(). Fix that by calling it from destroy_inode(). > > Shouldn't we call it from "security_inode_free()" instead? And shouldn't > it be allocated in "security_inode_alloc()"? That sounds like the correct > nesting here, since the whole integrity thing is under the security > module. > > Hmm? > > Linus Mandatory Access Control(MAC) modules (i.e. SELinux, smack, etc) and integrity (i.e IMA) are two different aspects of security. The LSM hooks, which includes security_inode_free(), are used to implement MAC, not integrity. Mimi Zohar -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/