From b9fc745db833bbf74b4988493b8cd902a84c9415 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Tue, 19 May 2009 13:25:57 -0400 Subject: integrity: path_check update - Add support in ima_path_check() for integrity checking without incrementing the counts. (Required for nfsd.) - rename and export opencount_get to ima_counts_get - replace ima_shm_check calls with ima_counts_get - export ima_path_check Signed-off-by: Mimi Zohar Signed-off-by: James Morris --- ipc/shm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'ipc') diff --git a/ipc/shm.c b/ipc/shm.c index faa46da99eb..47b464229cd 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -384,7 +384,7 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) error = PTR_ERR(file); if (IS_ERR(file)) goto no_file; - ima_shm_check(file); + ima_counts_get(file); id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni); if (id < 0) { @@ -891,7 +891,7 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr) file = alloc_file(path.mnt, path.dentry, f_mode, &shm_file_operations); if (!file) goto out_free; - ima_shm_check(file); + ima_counts_get(file); file->private_data = sfd; file->f_mapping = shp->shm_file->f_mapping; -- cgit v1.2.3 From c9d9ac525a0285a5b5ad9c3f9aa8b7c1753e6121 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Tue, 19 May 2009 13:25:58 -0400 Subject: integrity: move ima_counts_get Based on discussion on lkml (Andrew Morton and Eric Paris), move ima_counts_get down a layer into shmem/hugetlb__file_setup(). Resolves drm shmem_file_setup() usage case as well. HD comment: I still think you're doing this at the wrong level, but recognize that you probably won't be persuaded until a few more users of alloc_file() emerge, all wanting your ima_counts_get(). Resolving GEM's shmem_file_setup() is an improvement, so I'll say Acked-by: Hugh Dickins Signed-off-by: Mimi Zohar Signed-off-by: James Morris --- ipc/shm.c | 1 - 1 file changed, 1 deletion(-) (limited to 'ipc') diff --git a/ipc/shm.c b/ipc/shm.c index 47b464229cd..56081835359 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -384,7 +384,6 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) error = PTR_ERR(file); if (IS_ERR(file)) goto no_file; - ima_counts_get(file); id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni); if (id < 0) { -- cgit v1.2.3 From 31a985fbb18c1600955124a1efd2343efa867549 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Wed, 17 Jun 2009 16:27:46 -0700 Subject: ipc: use __ARCH_WANT_IPC_PARSE_VERSION in ipc/util.h The definition of ipc_parse_version depends on __ARCH_WANT_IPC_PARSE_VERSION, but the header file declares it conditionally based on the architecture. Use the macro consistently to make it easier to add new architectures. Signed-off-by: Arnd Bergmann Acked-by: Serge Hallyn Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- ipc/util.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'ipc') diff --git a/ipc/util.h b/ipc/util.h index 1187332a89d..f9fe90e4886 100644 --- a/ipc/util.h +++ b/ipc/util.h @@ -128,7 +128,7 @@ void ipc_update_perm(struct ipc64_perm *in, struct kern_ipc_perm *out); struct kern_ipc_perm *ipcctl_pre_down(struct ipc_ids *ids, int id, int cmd, struct ipc64_perm *perm, int extra_perm); -#if defined(__ia64__) || defined(__x86_64__) || defined(__hppa__) || defined(__XTENSA__) +#ifndef __ARCH_WANT_IPC_PARSE_VERSION /* On IA-64, we always use the "64-bit version" of the IPC structures. */ # define ipc_parse_version(cmd) IPC_64 #else -- cgit v1.2.3 From 64424289dd2e37b4800df1f7f2ef4fe550f58729 Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Wed, 17 Jun 2009 16:27:54 -0700 Subject: ipcns: remove useless get/put while CLONE_NEWIPC copy_ipcs() doesn't actually copy anything. If new ipcns is created, it's created from scratch, in this case get/put on old ipcns isn't needed. Signed-off-by: Alexey Dobriyan Acked-by: Serge Hallyn Reviewed-by: WANG Cong Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- ipc/namespace.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'ipc') diff --git a/ipc/namespace.c b/ipc/namespace.c index 4a5e752a927..a56fc598a80 100644 --- a/ipc/namespace.c +++ b/ipc/namespace.c @@ -50,15 +50,11 @@ struct ipc_namespace *copy_ipcs(unsigned long flags, struct ipc_namespace *ns) { struct ipc_namespace *new_ns; - BUG_ON(!ns); - get_ipc_ns(ns); - if (!(flags & CLONE_NEWIPC)) - return ns; + return get_ipc_ns(ns); new_ns = clone_ipc_ns(ns); - put_ipc_ns(ns); return new_ns; } -- cgit v1.2.3 From 612ce478fac2729ad564ec3f5d3c551674b8e9c2 Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Wed, 17 Jun 2009 16:27:55 -0700 Subject: ipcns: extract create_ipc_ns() clone_ipc_ns() is misnamed, it doesn't clone anything and doesn't use passed parameter. Rename it. create_ipc_ns() will be used by C/R to create fresh ipcns. Signed-off-by: Alexey Dobriyan Acked-by: Serge Hallyn Reviewed-by: WANG Cong Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- ipc/namespace.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) (limited to 'ipc') diff --git a/ipc/namespace.c b/ipc/namespace.c index a56fc598a80..231ee5359ab 100644 --- a/ipc/namespace.c +++ b/ipc/namespace.c @@ -14,7 +14,7 @@ #include "util.h" -static struct ipc_namespace *clone_ipc_ns(struct ipc_namespace *old_ns) +static struct ipc_namespace *create_ipc_ns(void) { struct ipc_namespace *ns; int err; @@ -48,14 +48,9 @@ static struct ipc_namespace *clone_ipc_ns(struct ipc_namespace *old_ns) struct ipc_namespace *copy_ipcs(unsigned long flags, struct ipc_namespace *ns) { - struct ipc_namespace *new_ns; - if (!(flags & CLONE_NEWIPC)) return get_ipc_ns(ns); - - new_ns = clone_ipc_ns(ns); - - return new_ns; + return create_ipc_ns(); } /* -- cgit v1.2.3 From b4188def441197d38f20e0935372780ed7c0e19d Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Wed, 17 Jun 2009 16:27:56 -0700 Subject: ipcns: make free_ipc_ns() static Signed-off-by: Alexey Dobriyan Reviewed-by: WANG Cong Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- ipc/namespace.c | 48 ++++++++++++++++++++++++------------------------ 1 file changed, 24 insertions(+), 24 deletions(-) (limited to 'ipc') diff --git a/ipc/namespace.c b/ipc/namespace.c index 231ee5359ab..a1094ff0bef 100644 --- a/ipc/namespace.c +++ b/ipc/namespace.c @@ -83,6 +83,30 @@ void free_ipcs(struct ipc_namespace *ns, struct ipc_ids *ids, up_write(&ids->rw_mutex); } +static void free_ipc_ns(struct ipc_namespace *ns) +{ + /* + * Unregistering the hotplug notifier at the beginning guarantees + * that the ipc namespace won't be freed while we are inside the + * callback routine. Since the blocking_notifier_chain_XXX routines + * hold a rw lock on the notifier list, unregister_ipcns_notifier() + * won't take the rw lock before blocking_notifier_call_chain() has + * released the rd lock. + */ + unregister_ipcns_notifier(ns); + sem_exit_ns(ns); + msg_exit_ns(ns); + shm_exit_ns(ns); + kfree(ns); + atomic_dec(&nr_ipc_ns); + + /* + * Do the ipcns removal notification after decrementing nr_ipc_ns in + * order to have a correct value when recomputing msgmni. + */ + ipcns_notify(IPCNS_REMOVED); +} + /* * put_ipc_ns - drop a reference to an ipc namespace. * @ns: the namespace to put @@ -108,27 +132,3 @@ void put_ipc_ns(struct ipc_namespace *ns) free_ipc_ns(ns); } } - -void free_ipc_ns(struct ipc_namespace *ns) -{ - /* - * Unregistering the hotplug notifier at the beginning guarantees - * that the ipc namespace won't be freed while we are inside the - * callback routine. Since the blocking_notifier_chain_XXX routines - * hold a rw lock on the notifier list, unregister_ipcns_notifier() - * won't take the rw lock before blocking_notifier_call_chain() has - * released the rd lock. - */ - unregister_ipcns_notifier(ns); - sem_exit_ns(ns); - msg_exit_ns(ns); - shm_exit_ns(ns); - kfree(ns); - atomic_dec(&nr_ipc_ns); - - /* - * Do the ipcns removal notification after decrementing nr_ipc_ns in - * order to have a correct value when recomputing msgmni. - */ - ipcns_notify(IPCNS_REMOVED); -} -- cgit v1.2.3 From 665c7741fb63c7ceeb515f1d1ed8b016efe65bf3 Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Wed, 17 Jun 2009 16:27:57 -0700 Subject: ipcns: move free_ipcs() proto Function is really private to ipc/ and avoid struct kern_ipc_perm forward declaration. Signed-off-by: Alexey Dobriyan Reviewed-by: WANG Cong Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- ipc/util.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'ipc') diff --git a/ipc/util.h b/ipc/util.h index f9fe90e4886..ab3ebf2621b 100644 --- a/ipc/util.h +++ b/ipc/util.h @@ -171,5 +171,6 @@ static inline void ipc_unlock(struct kern_ipc_perm *perm) struct kern_ipc_perm *ipc_lock_check(struct ipc_ids *ids, int id); int ipcget(struct ipc_namespace *ns, struct ipc_ids *ids, struct ipc_ops *ops, struct ipc_params *params); - +void free_ipcs(struct ipc_namespace *ns, struct ipc_ids *ids, + void (*free)(struct ipc_namespace *, struct kern_ipc_perm *)); #endif -- cgit v1.2.3 From 232086b19964d0e13359d30d74b11ca31b0751cb Mon Sep 17 00:00:00 2001 From: Johannes Weiner Date: Sat, 20 Jun 2009 02:23:29 +0200 Subject: ipc: unbreak 32-bit shmctl/semctl/msgctl 31a985f "ipc: use __ARCH_WANT_IPC_PARSE_VERSION in ipc/util.h" would choose the implementation of ipc_parse_version() based on a symbol defined in . But it failed to also include this header and thus broke IPC_64-passing 32-bit userspace because the flag wasn't masked out properly anymore and the command not understood. Include to give the architecture a chance to ask for the no-no-op ipc_parse_version(). Signed-off-by: Johannes Weiner Acked-by: Arnd Bergmann Signed-off-by: Linus Torvalds --- ipc/util.h | 1 + 1 file changed, 1 insertion(+) (limited to 'ipc') diff --git a/ipc/util.h b/ipc/util.h index ab3ebf2621b..764b51a37a6 100644 --- a/ipc/util.h +++ b/ipc/util.h @@ -10,6 +10,7 @@ #ifndef _IPC_UTIL_H #define _IPC_UTIL_H +#include #include #define SEQ_MULTIPLIER (IPCMNI) -- cgit v1.2.3 From 46690f3718d95e9bb712b6f2b5c869f8494521de Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Fri, 26 Jun 2009 11:24:05 -0400 Subject: integrity: ima mq_open imbalance msg fix This patch fixes an imbalance message as reported by Sanchin Sant. As we don't need to measure the message queue, just increment the counters. Reported-by: Sanchin Sant Signed-off-by: Mimi Zohar Acked-by: Serge Hallyn Signed-off-by: James Morris --- ipc/mqueue.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'ipc') diff --git a/ipc/mqueue.c b/ipc/mqueue.c index e35ba2c3a8d..c5e68adc673 100644 --- a/ipc/mqueue.c +++ b/ipc/mqueue.c @@ -32,6 +32,7 @@ #include #include #include +#include #include #include "util.h" @@ -733,6 +734,7 @@ SYSCALL_DEFINE4(mq_open, const char __user *, u_name, int, oflag, mode_t, mode, error = PTR_ERR(filp); goto out_putfd; } + ima_counts_get(filp); fd_install(fd, filp); goto out_upsem; -- cgit v1.2.3