On Sat, 2014-05-10 at 01:01 +0900, J. R. Okajima wrote: > Mimi Zohar: > > Another approach was posted here > > http://marc.info/?l=linux-security-module&m=138919062430367&w=2 which > > also was not upstreamed. > > It might be better a little than previous one which handles the flag > temporarily. But, in order to make the code cleaner particulary for > do_blockdev_direct_IO(), I'd suggest > - make two new static inline functions like > r = ima_aware_file_inode_mutex_lock(file) and ..._unlock(r, file). > - these new functions are complied when CONFIG_IMA is enabled, otherwise > they are plain mutex_lock/unlock(). > - then do_blockdev_direct_IO() can call them blindly. > - of course, O_DIRECT_HAVELOCK should be complied only when CONFIG_IMA > is enabled too. > > I can guess that several people thinks that is still "ugly locking", but > the deadlock is much ugly in real world. And we need some workaround for > it.
I assume so, as there wasn't any comment. As a temporary fix, would it make sense not to measure/appraise/audit files opened with the direct-io flag based policy? Define a new IMA policy option 'directio'. A sample rule would look like: dont_appraise bprm_check directio fsuuid=... Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
