@@ -48,6 +48,7 @@ int digest_cache_verif_set(struct file *file, const char *verif_id, void *data,
size_t size);
void *digest_cache_verif_get(struct digest_cache *digest_cache,
const char *verif_id);
+bool digest_cache_was_reset(struct digest_cache *digest_cache);
#else
static inline struct digest_cache *digest_cache_get(struct dentry *dentry)
@@ -79,5 +80,10 @@ static inline void *digest_cache_verif_get(struct digest_cache *digest_cache,
return NULL;
}
+static inline bool digest_cache_was_reset(struct digest_cache *digest_cache)
+{
+ return false;
+}
+
#endif /* CONFIG_SECURITY_DIGEST_CACHE */
#endif /* _LINUX_DIGEST_CACHE_H */
@@ -2,6 +2,7 @@
config SECURITY_DIGEST_CACHE
bool "Digest_cache LSM"
select TLV_PARSER
+ select SECURITY_PATH
default n
help
This option enables an LSM maintaining a cache of digests
@@ -4,7 +4,8 @@
obj-$(CONFIG_SECURITY_DIGEST_CACHE) += digest_cache.o
-digest_cache-y := main.o secfs.o htable.o populate.o modsig.o verif.o dir.o
+digest_cache-y := main.o secfs.o htable.o populate.o modsig.o verif.o dir.o \
+ reset.o
digest_cache-y += parsers/tlv.o
digest_cache-y += parsers/rpm.o
@@ -18,6 +18,7 @@
#define INVALID 1 /* Digest cache marked as invalid. */
#define IS_DIR 2 /* Digest cache created from dir. */
#define DIR_PREFETCH 3 /* Prefetching requested for dir. */
+#define RESET 4 /* Digest cache to be recreated. */
/**
* struct readdir_callback - Structure to store information for dir iteration
@@ -247,4 +248,12 @@ digest_cache_dir_lookup_filename(struct dentry *dentry,
char *filename);
void digest_cache_dir_free(struct digest_cache *digest_cache);
+/* reset.c */
+int digest_cache_file_open(struct file *file);
+int digest_cache_path_truncate(const struct path *path);
+void digest_cache_file_release(struct file *file);
+int digest_cache_inode_unlink(struct inode *dir, struct dentry *dentry);
+int digest_cache_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
+ struct inode *new_dir, struct dentry *new_dentry);
+
#endif /* _DIGEST_CACHE_INTERNAL_H */
@@ -162,6 +162,11 @@ struct digest_cache *digest_cache_create(struct dentry *dentry,
/* Serialize check and assignment of dig_owner. */
mutex_lock(&dig_sec->dig_owner_mutex);
+ if (dig_sec->dig_owner && test_bit(RESET, &dig_sec->dig_owner->flags)) {
+ digest_cache_put(dig_sec->dig_owner);
+ dig_sec->dig_owner = NULL;
+ }
+
if (dig_sec->dig_owner) {
/* Increment ref. count for reference returned to the caller. */
digest_cache = digest_cache_ref(dig_sec->dig_owner);
@@ -394,6 +399,11 @@ struct digest_cache *digest_cache_get(struct dentry *dentry)
/* Serialize accesses to inode for which the digest cache is used. */
mutex_lock(&dig_sec->dig_user_mutex);
+ if (dig_sec->dig_user && test_bit(RESET, &dig_sec->dig_user->flags)) {
+ digest_cache_put(dig_sec->dig_user);
+ dig_sec->dig_user = NULL;
+ }
+
if (!dig_sec->dig_user) {
down_read(&default_path_sem);
/* Consume extra reference from digest_cache_create(). */
@@ -482,6 +492,11 @@ static void digest_cache_inode_free_security(struct inode *inode)
static struct security_hook_list digest_cache_hooks[] __ro_after_init = {
LSM_HOOK_INIT(inode_alloc_security, digest_cache_inode_alloc_security),
LSM_HOOK_INIT(inode_free_security, digest_cache_inode_free_security),
+ LSM_HOOK_INIT(file_open, digest_cache_file_open),
+ LSM_HOOK_INIT(path_truncate, digest_cache_path_truncate),
+ LSM_HOOK_INIT(file_release, digest_cache_file_release),
+ LSM_HOOK_INIT(inode_unlink, digest_cache_inode_unlink),
+ LSM_HOOK_INIT(inode_rename, digest_cache_inode_rename),
};
/**
new file mode 100644
@@ -0,0 +1,168 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2023-2024 Huawei Technologies Duesseldorf GmbH
+ *
+ * Author: Roberto Sassu <roberto.sassu@huawei.com>
+ *
+ * Reset digest cache on digest lists/directory modifications.
+ */
+
+#define pr_fmt(fmt) "DIGEST CACHE: "fmt
+#include "internal.h"
+
+/**
+ * digest_cache_was_reset - Report whether or not the digest cache was reset
+ * @digest_cache: Digest cache
+ *
+ * This function reports whether or not the RESET bit was set in the digest
+ * cache.
+ *
+ * It is meant to be used by digest_cache LSM users holding a reference of a
+ * digest cache, which might need to take additional actions depending on
+ * whether or not that digest cache was reset.
+ *
+ * Return: True if the digest cache was reset, false otherwise.
+ */
+bool digest_cache_was_reset(struct digest_cache *digest_cache)
+{
+ return test_bit(RESET, &digest_cache->flags);
+}
+EXPORT_SYMBOL_GPL(digest_cache_was_reset);
+
+/**
+ * digest_cache_reset - Reset the digest cache
+ * @inode: Inode of the digest list/directory containing the digest list
+ * @reason: Reason for reset
+ *
+ * This function sets the RESET bit in the digest cache, so that
+ * digest_cache_get() and digest_cache_create() respectively release and clear
+ * dig_user and dig_owner in the inode security blob. This causes new callers
+ * of digest_cache_get() to get a new digest cache.
+ */
+static void digest_cache_reset(struct inode *inode, const char *reason)
+{
+ struct digest_cache_security *dig_sec;
+
+ dig_sec = digest_cache_get_security(inode);
+ if (unlikely(!dig_sec))
+ return;
+
+ mutex_lock(&dig_sec->dig_owner_mutex);
+ if (dig_sec->dig_owner) {
+ pr_debug("Resetting %s, reason: %s\n",
+ dig_sec->dig_owner->path_str, reason);
+ set_bit(RESET, &dig_sec->dig_owner->flags);
+ }
+ mutex_unlock(&dig_sec->dig_owner_mutex);
+}
+
+/**
+ * digest_cache_file_open - A file is being opened
+ * @file: File descriptor
+ *
+ * This function is called when a file is opened. If the inode is a digest list
+ * and is opened for write, it resets the inode dig_owner, to force rebuilding
+ * the digest cache.
+ *
+ * Return: Zero.
+ */
+int digest_cache_file_open(struct file *file)
+{
+ if (!S_ISREG(file_inode(file)->i_mode) || !(file->f_mode & FMODE_WRITE))
+ return 0;
+
+ digest_cache_reset(file_inode(file), "file_open_write");
+ return 0;
+}
+
+/**
+ * digest_cache_path_truncate - A file is being truncated
+ * @path: File path
+ *
+ * This function is called when a file is being truncated. If the inode is a
+ * digest list, it resets the inode dig_owner, to force rebuilding the digest
+ * cache.
+ *
+ * Return: Zero.
+ */
+int digest_cache_path_truncate(const struct path *path)
+{
+ struct inode *inode = d_backing_inode(path->dentry);
+
+ if (!S_ISREG(inode->i_mode))
+ return 0;
+
+ digest_cache_reset(inode, "file_truncate");
+ return 0;
+}
+
+/**
+ * digest_cache_file_release - Last reference of a file desc is being released
+ * @file: File descriptor
+ *
+ * This function is called when the last reference of a file descriptor is
+ * being released. If the parent inode is the digest list directory, the inode
+ * is a regular file and was opened for write, it resets the inode dig_owner,
+ * to force rebuilding the digest cache.
+ */
+void digest_cache_file_release(struct file *file)
+{
+ struct inode *dir = d_backing_inode(file_dentry(file)->d_parent);
+
+ if (!S_ISREG(file_inode(file)->i_mode) || !(file->f_mode & FMODE_WRITE))
+ return;
+
+ digest_cache_reset(dir, "dir_file_release");
+}
+
+/**
+ * digest_cache_inode_unlink - An inode is being removed
+ * @dir: Inode of the affected directory
+ * @dentry: Dentry of the inode being removed
+ *
+ * This function is called when an existing inode is being removed. If the
+ * inode is a digest list, or the parent inode is the digest list directory and
+ * the inode is a regular file, it resets the affected inode dig_owner, to force
+ * rebuilding the digest cache.
+ *
+ * Return: Zero.
+ */
+int digest_cache_inode_unlink(struct inode *dir, struct dentry *dentry)
+{
+ struct inode *inode = d_backing_inode(dentry);
+
+ if (!S_ISREG(inode->i_mode))
+ return 0;
+
+ digest_cache_reset(inode, "file_unlink");
+ digest_cache_reset(dir, "dir_unlink");
+ return 0;
+}
+
+/**
+ * digest_cache_inode_rename - An inode is being renamed
+ * @old_dir: Inode of the directory containing the inode being renamed
+ * @old_dentry: Dentry of the inode being renamed
+ * @new_dir: Directory where the inode will be placed into
+ * @new_dentry: Dentry of the inode after being renamed
+ *
+ * This function is called when an existing inode is being moved from a
+ * directory to another (rename). If the inode is a digest list, or that inode
+ * is moved from/to the digest list directory, it resets the affected inode
+ * dig_owner, to force rebuilding the digest cache.
+ *
+ * Return: Zero.
+ */
+int digest_cache_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
+ struct inode *new_dir, struct dentry *new_dentry)
+{
+ struct inode *old_inode = d_backing_inode(old_dentry);
+
+ if (!S_ISREG(old_inode->i_mode))
+ return 0;
+
+ digest_cache_reset(old_inode, "file_rename");
+ digest_cache_reset(old_dir, "dir_rename_from");
+ digest_cache_reset(new_dir, "dir_rename_to");
+ return 0;
+}