| Message ID | 20220630020346.1151942-1-stefanb@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ima: Defer query for iversion until it is needed | expand |
Hi Stefan, On Wed, 2022-06-29 at 22:03 -0400, Stefan Berger wrote: > Defer the query for the iversion until it is needed. > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > --- > security/integrity/ima/ima_api.c | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c > index c1e76282b5ee..4410d45eb281 100644 > --- a/security/integrity/ima/ima_api.c > +++ b/security/integrity/ima/ima_api.c > @@ -248,7 +248,6 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, > int result = 0; > int length; > void *tmpbuf; > - u64 i_version; > > /* > * Always collect the modsig, because IMA might have already collected > @@ -267,7 +266,6 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, > * to an initial measurement/appraisal/audit, but was modified to > * assume the file changed. > */ > - i_version = inode_query_iversion(inode); > hash.hdr.algo = algo; > hash.hdr.length = hash_digest_size[algo]; > > @@ -304,7 +302,7 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, > > iint->ima_hash = tmpbuf; > memcpy(iint->ima_hash, &hash, length); > - iint->version = i_version; > + iint->version = inode_query_iversion(inode); > > /* Possibly temporary failure due to type of read (eg. O_DIRECT) */ > if (!result) Using the i_version value before calculating the file hash was done intentionally in case the file changed. thanks, Mimi
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index c1e76282b5ee..4410d45eb281 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -248,7 +248,6 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, int result = 0; int length; void *tmpbuf; - u64 i_version; /* * Always collect the modsig, because IMA might have already collected @@ -267,7 +266,6 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, * to an initial measurement/appraisal/audit, but was modified to * assume the file changed. */ - i_version = inode_query_iversion(inode); hash.hdr.algo = algo; hash.hdr.length = hash_digest_size[algo]; @@ -304,7 +302,7 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, iint->ima_hash = tmpbuf; memcpy(iint->ima_hash, &hash, length); - iint->version = i_version; + iint->version = inode_query_iversion(inode); /* Possibly temporary failure due to type of read (eg. O_DIRECT) */ if (!result)
Defer the query for the iversion until it is needed. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> --- security/integrity/ima/ima_api.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)