@@ -158,14 +158,18 @@ static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
extern int create_user_ns(struct cred *new);
extern int unshare_userns(unsigned long unshare_flags, struct cred **new_cred);
extern void __put_user_ns(struct user_namespace *ns);
+extern void ima_ns_userns_early_teardown(struct ima_namespace *ns);
static inline void put_user_ns(struct user_namespace *ns)
{
if (ns) {
if (refcount_dec_and_test(&ns->ns.count))
__put_user_ns(ns);
- else if (refcount_read(&ns->ns.count) == ns->refcount_teardown)
- ;
+ else if (refcount_read(&ns->ns.count) == ns->refcount_teardown) {
+#ifdef CONFIG_IMA_NS
+ ima_ns_userns_early_teardown(ns->ima_ns);
+#endif
+ }
}
}
@@ -16,6 +16,7 @@
#include <linux/mount.h>
#include <linux/proc_ns.h>
#include <linux/lsm_hooks.h>
+#include <linux/user_namespace.h>
#include "ima.h"
@@ -64,6 +65,11 @@ struct ima_namespace *copy_ima_ns(struct ima_namespace *old_ns,
return create_ima_ns(user_ns);
}
+void ima_ns_userns_early_teardown(struct ima_namespace *ns)
+{
+}
+EXPORT_SYMBOL(ima_ns_userns_early_teardown);
+
static void destroy_ima_ns(struct ima_namespace *ns)
{
pr_debug("DESTROY ima_ns: 0x%p\n", ns);
Define an early teardown function ima_ns_userns_early_teardown() that will be needed for early teardown of the namespaced SecurityFS used by an IMA namespace since this holds one additional references to the user namespace. This function is not called yet since the refcount_teardown variable at this point is always 0. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> --- include/linux/user_namespace.h | 8 ++++++-- security/integrity/ima/ima_ns.c | 6 ++++++ 2 files changed, 12 insertions(+), 2 deletions(-)