IMA: maintain i_readcount in the VFS layer

[PATCH v1.2 3/5] IMA: maintain i_readcount in the VFS layer

ima_counts_get() updated the readcount and invalidated the PCR,
as necessary. Only update the i_readcount in the VFS layer.
Move the PCR invalidation checks to ima_file_check(), where it
belongs.

Maintaining the i_readcount in the VFS layer, will allow other
subsystems to use i_readcount.

Signed-off-by: Mimi Zohar <zohar <at> us.ibm.com>
---
fs/file_table.c                   |    5 ++++-
fs/open.c                         |    3 ++-
include/linux/ima.h               |    6 ------
security/integrity/ima/ima_iint.c |    2 --
security/integrity/ima/ima_main.c |   25 ++++++++-----------------
5 files changed, 14 insertions(+), 27 deletions(-)

diff --git a/fs/file_table.c b/fs/file_table.c
index c3dee38..0c724de 100644
--- a/fs/file_table.c
+++ b/fs/file_table.c
<at>  <at>  -190,7 +190,8  <at>  <at>  struct file *alloc_file(struct path *path, fmode_t mode,
file_take_write(file);
WARN_ON(mnt_clone_write(path->mnt));
}
-	ima_counts_get(file);
+	if ((mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
+		i_readcount_inc(path->dentry->d_inode);
return file;
}
EXPORT_SYMBOL(alloc_file);
<at>  <at>  -251,6 +252,8  <at>  <at>  static void __fput(struct file *file)
fops_put(file->f_op);
put_pid(file->f_owner.pid);
file_sb_list_del(file);
+	if ((file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
+		i_readcount_dec(inode);
if (file->f_mode & FMODE_WRITE)
drop_file_write_access(file);
file->f_path.dentry = NULL;
diff --git a/fs/open.c b/fs/open.c
index 4197b9e..0d485c5 100644
--- a/fs/open.c
+++ b/fs/open.c
<at>  <at>  -688,7 +688,8  <at>  <at>  static struct file *__dentry_open(struct dentry *dentry, struct vfsmount *mnt,
if (error)
goto cleanup_all;
}
-	ima_counts_get(f);
+	if ((f->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
+		i_readcount_inc(inode);

f->f_flags &= ~(O_CREAT | O_EXCL | O_NOCTTY | O_TRUNC);

diff --git a/include/linux/ima.h b/include/linux/ima.h
index 975837e..09e6e62 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
<at>  <at>  -20,7 +20,6  <at>  <at>  extern void ima_inode_free(struct inode *inode);
extern int ima_file_check(struct file *file, int mask);
extern void ima_file_free(struct file *file);
extern int ima_file_mmap(struct file *file, unsigned long prot);
-extern void ima_counts_get(struct file *file);

#else
static inline int ima_bprm_check(struct linux_binprm *bprm)
<at>  <at>  -53,10 +52,5  <at>  <at>  static inline int ima_file_mmap(struct file *file, unsigned long prot)
return 0;
}

-static inline void ima_counts_get(struct file *file)
-{
-	return;
-}
-
#endif /* CONFIG_IMA_H */
#endif /* _LINUX_IMA_H */
diff --git a/security/integrity/ima/ima_iint.c b/security/integrity/ima/ima_iint.c
index f005355..68efe3b 100644
--- a/security/integrity/ima/ima_iint.c
+++ b/security/integrity/ima/ima_iint.c
<at>  <at>  -141,8 +141,6  <at>  <at>  void ima_inode_free(struct inode *inode)
printk(KERN_INFO "%s: readcount: %u\n", __func__,
atomic_read(&inode->i_readcount));

-	atomic_set(&inode->i_readcount, 0);
-
if (!IS_IMA(inode))
return;

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index a189197..a0626bc 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
<at>  <at>  -86,17 +86,16  <at>  <at>  out:
}

/*
- * ima_counts_get - increment file counts
+ * ima_rdwr_violation_check
*
- * Maintain read/write counters for all files, but only
- * invalidate the PCR for measured files:
+ * Only invalidate the PCR for measured files:
* 	- Opening a file for write when already open for read,
*	  results in a time of measure, time of use (ToMToU) error.
*	- Opening a file for read when already open for write,
* 	  could result in a file measurement error.
*
*/
-void ima_counts_get(struct file *file)
+static void ima_rdwr_violation_check(struct file *file)
{
struct dentry *dentry = file->f_path.dentry;
struct inode *inode = dentry->d_inode;
<at>  <at>  -104,13 +103,10  <at>  <at>  void ima_counts_get(struct file *file)
int rc;
bool send_tomtou = false, send_writers = false;

-	if (!S_ISREG(inode->i_mode))
+	if (!S_ISREG(inode->i_mode) || !ima_initialized)
return;

-	spin_lock(&inode->i_lock);
-
-	if (!ima_initialized)
-		goto out;
+	mutex_lock(&inode->i_mutex);	/* file metadata: permissions, xattr */

if (mode & FMODE_WRITE) {
if (atomic_read(&inode->i_readcount) && IS_IMA(inode))
<at>  <at>  -125,11 +121,7  <at>  <at>  void ima_counts_get(struct file *file)
if (atomic_read(&inode->i_writecount) > 0)
send_writers = true;
out:
-	/* remember the vfs deals with i_writecount */
-	if ((mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
-		atomic_inc(&inode->i_readcount);
-
-	spin_unlock(&inode->i_lock);
+	mutex_unlock(&inode->i_mutex);

if (send_tomtou)
ima_add_violation(inode, dentry->d_name.name, "invalid_pcr",
<at>  <at>  -158,7 +150,6  <at>  <at>  static void ima_dec_counts(struct inode *inode, struct file *file)
}
return;
}
-		atomic_dec(&inode->i_readcount);
}
}

<at>  <at>  -203,8 +194,7  <at>  <at>  static void ima_file_free_noiint(struct inode *inode, struct file *file)
* ima_file_free - called on __fput()
*  <at> file: pointer to file structure being freed
*
- * Flag files that changed, based on i_version;
- * and decrement the i_readcount.
+ * Flag files that changed, based on i_version
*/
void ima_file_free(struct file *file)
{
<at>  <at>  -318,6 +308,7  <at>  <at>  int ima_file_check(struct file *file, int mask)
{
int rc;

+	ima_rdwr_violation_check(file);
rc = process_measurement(file, file->f_dentry->d_name.name,
mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
FILE_CHECK);
--