[PATCH v12 03/26] ima: Define ima_namespace struct and start moving variables into it
Stefan Berger
stefanb at linux.ibm.com
Tue May 24 16:18:28 UTC 2022
On 5/20/22 22:33, Serge E. Hallyn wrote:
>> * they make a queue. The policy may be updated multiple times and this is the
>> @@ -985,16 +988,17 @@ int ima_check_policy(void)
>> * Policy rules are never deleted so ima_policy_flag gets zeroed only once when
>> * we switch from the default policy to user defined.
>> */
>> -void ima_update_policy(void)
>> +void ima_update_policy(struct ima_namespace *ns)
>> {
>> - struct list_head *policy = &ima_policy_rules;
>> + struct list_head *policy = &ns->ima_policy_rules;
>>
>> - list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu);
>> + list_splice_tail_init_rcu(&ns->ima_temp_rules, policy,
>> + synchronize_rcu);
>>
>> - if (ima_rules != (struct list_head __rcu *)policy) {
>> - ima_policy_flag = 0;
>> + if (ns->ima_rules != (struct list_head __rcu *)policy) {
>> + ns->ima_policy_flag = 0;
>>
>> - rcu_assign_pointer(ima_rules, policy);
>> + rcu_assign_pointer(ns->ima_rules, policy);
>> /*
>> * IMA architecture specific policy rules are specified
>> * as strings and converted to an array of ima_entry_rules
>> @@ -1003,10 +1007,10 @@ void ima_update_policy(void)
>> */
>> kfree(arch_policy_entry);
>> }
>> - ima_update_policy_flags();
>> + ima_update_policy_flags(ns);
>>
>> /* Custom IMA policy has been loaded */
>> - ima_process_queued_keys();
>> + ima_process_queued_keys(ns);
>> }
>>
So this is a caller that may enter that function with ns != init_ima_ns
and in that case that function should do nothing. So, also the WARN_ON()
is not appropriate then.
Stefan
More information about the Linux-security-module-archive
mailing list