Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'pull-securityfs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

Pull securityfs updates from Al Viro:
"Securityfs cleanups and fixes:

- one extra reference is enough to pin a dentry down; no need for
two. Switch to regular scheme, similar to shmem, debugfs, etc. This
fixes a securityfs_recursive_remove() dentry leak, among other
things.

- we need to have the filesystem pinned to prevent the contents
disappearing; what we do not need is pinning it for each file.
Doing that only for files and directories in the root is enough.

- the previous two changes allow us to get rid of the racy kludges in
efi_secret_unlink(), where we can use simple_unlink() instead of
securityfs_remove(). Which does not require unlocking and relocking
the parent, with all deadlocks that invites.

- Make securityfs_remove() take the entire subtree out, turning
securityfs_recursive_remove() into its alias. Makes a lot more
sense for callers and fixes a mount leak, while we are at it.

- Making securityfs_remove() remove the entire subtree allows for
much simpler life in most of the users - efi_secret, ima_fs, evm,
ipe, tmp get cleaner. I hadn't touched apparmor use of securityfs,
but I suspect that it would be useful there as well"

* tag 'pull-securityfs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
tpm: don't bother with removal of files in directory we'll be removing
ipe: don't bother with removal of files in directory we'll be removing
evm_secfs: clear securityfs interactions
ima_fs: get rid of lookup-by-dentry stuff
ima_fs: don't bother with removal of files in directory we'll be removing
efi_secret: clean securityfs use up
make securityfs_remove() remove the entire subtree
fix locking in efi_secret_unlink()
securityfs: pin filesystem only for objects directly in root
securityfs: don't pin dentries twice, once is enough...

+97 -251
+12 -34
drivers/char/tpm/eventlog/common.c
··· 32 32 struct tpm_chip *chip; 33 33 34 34 inode_lock(inode); 35 - if (!inode->i_private) { 35 + if (!inode->i_nlink) { 36 36 inode_unlock(inode); 37 37 return -ENODEV; 38 38 } ··· 105 105 void tpm_bios_log_setup(struct tpm_chip *chip) 106 106 { 107 107 const char *name = dev_name(&chip->dev); 108 - unsigned int cnt; 108 + struct dentry *dentry; 109 109 int log_version; 110 110 int rc = 0; 111 111 ··· 117 117 return; 118 118 log_version = rc; 119 119 120 - cnt = 0; 121 - chip->bios_dir[cnt] = securityfs_create_dir(name, NULL); 120 + chip->bios_dir = securityfs_create_dir(name, NULL); 122 121 /* NOTE: securityfs_create_dir can return ENODEV if securityfs is 123 122 * compiled out. The caller should ignore the ENODEV return code. 124 123 */ 125 - if (IS_ERR(chip->bios_dir[cnt])) 126 - goto err; 127 - cnt++; 124 + if (IS_ERR(chip->bios_dir)) 125 + return; 128 126 129 127 chip->bin_log_seqops.chip = chip; 130 128 if (log_version == EFI_TCG2_EVENT_LOG_FORMAT_TCG_2) ··· 133 135 &tpm1_binary_b_measurements_seqops; 134 136 135 137 136 - chip->bios_dir[cnt] = 138 + dentry = 137 139 securityfs_create_file("binary_bios_measurements", 138 - 0440, chip->bios_dir[0], 140 + 0440, chip->bios_dir, 139 141 (void *)&chip->bin_log_seqops, 140 142 &tpm_bios_measurements_ops); 141 - if (IS_ERR(chip->bios_dir[cnt])) 143 + if (IS_ERR(dentry)) 142 144 goto err; 143 - cnt++; 144 145 145 146 if (!(chip->flags & TPM_CHIP_FLAG_TPM2)) { 146 147 ··· 147 150 chip->ascii_log_seqops.seqops = 148 151 &tpm1_ascii_b_measurements_seqops; 149 152 150 - chip->bios_dir[cnt] = 153 + dentry = 151 154 securityfs_create_file("ascii_bios_measurements", 152 - 0440, chip->bios_dir[0], 155 + 0440, chip->bios_dir, 153 156 (void *)&chip->ascii_log_seqops, 154 157 &tpm_bios_measurements_ops); 155 - if (IS_ERR(chip->bios_dir[cnt])) 158 + if (IS_ERR(dentry)) 156 159 goto err; 157 - cnt++; 158 160 } 159 161 160 162 return; 161 163 162 164 err: 163 - chip->bios_dir[cnt] = NULL; 164 165 tpm_bios_log_teardown(chip); 165 166 return; 166 167 } 167 168 168 169 void tpm_bios_log_teardown(struct tpm_chip *chip) 169 170 { 170 - int i; 171 - struct inode *inode; 172 - 173 - /* securityfs_remove currently doesn't take care of handling sync 174 - * between removal and opening of pseudo files. To handle this, a 175 - * workaround is added by making i_private = NULL here during removal 176 - * and to check it during open(), both within inode_lock()/unlock(). 177 - * This design ensures that open() either safely gets kref or fails. 178 - */ 179 - for (i = (TPM_NUM_EVENT_LOG_FILES - 1); i >= 0; i--) { 180 - if (chip->bios_dir[i]) { 181 - inode = d_inode(chip->bios_dir[i]); 182 - inode_lock(inode); 183 - inode->i_private = NULL; 184 - inode_unlock(inode); 185 - securityfs_remove(chip->bios_dir[i]); 186 - } 187 - } 171 + securityfs_remove(chip->bios_dir); 188 172 }
+9 -38
drivers/virt/coco/efi_secret/efi_secret.c
··· 31 31 32 32 struct efi_secret { 33 33 struct dentry *secrets_dir; 34 - struct dentry *fs_dir; 35 - struct dentry *fs_files[EFI_SECRET_NUM_FILES]; 36 34 void __iomem *secret_data; 37 35 u64 secret_data_len; 38 36 }; ··· 117 119 118 120 static int efi_secret_unlink(struct inode *dir, struct dentry *dentry) 119 121 { 120 - struct efi_secret *s = efi_secret_get(); 121 122 struct inode *inode = d_inode(dentry); 122 123 struct secret_entry *e = (struct secret_entry *)inode->i_private; 123 - int i; 124 124 125 125 if (e) { 126 126 /* Zero out the secret data */ ··· 128 132 129 133 inode->i_private = NULL; 130 134 131 - for (i = 0; i < EFI_SECRET_NUM_FILES; i++) 132 - if (s->fs_files[i] == dentry) 133 - s->fs_files[i] = NULL; 134 - 135 - /* 136 - * securityfs_remove tries to lock the directory's inode, but we reach 137 - * the unlink callback when it's already locked 138 - */ 139 - inode_unlock(dir); 140 - securityfs_remove(dentry); 141 - inode_lock(dir); 142 - 143 - return 0; 135 + return simple_unlink(inode, dentry); 144 136 } 145 137 146 138 static const struct inode_operations efi_secret_dir_inode_operations = { ··· 178 194 static void efi_secret_securityfs_teardown(struct platform_device *dev) 179 195 { 180 196 struct efi_secret *s = efi_secret_get(); 181 - int i; 182 - 183 - for (i = (EFI_SECRET_NUM_FILES - 1); i >= 0; i--) { 184 - securityfs_remove(s->fs_files[i]); 185 - s->fs_files[i] = NULL; 186 - } 187 - 188 - securityfs_remove(s->fs_dir); 189 - s->fs_dir = NULL; 190 197 191 198 securityfs_remove(s->secrets_dir); 192 199 s->secrets_dir = NULL; ··· 192 217 unsigned char *ptr; 193 218 struct secret_header *h; 194 219 struct secret_entry *e; 195 - struct dentry *dent; 220 + struct dentry *dent, *dir; 196 221 char guid_str[EFI_VARIABLE_GUID_LEN + 1]; 197 222 198 223 ptr = (void __force *)s->secret_data; ··· 215 240 } 216 241 217 242 s->secrets_dir = NULL; 218 - s->fs_dir = NULL; 219 - memset(s->fs_files, 0, sizeof(s->fs_files)); 220 243 221 244 dent = securityfs_create_dir("secrets", NULL); 222 245 if (IS_ERR(dent)) { ··· 224 251 } 225 252 s->secrets_dir = dent; 226 253 227 - dent = securityfs_create_dir("coco", s->secrets_dir); 228 - if (IS_ERR(dent)) { 254 + dir = securityfs_create_dir("coco", s->secrets_dir); 255 + if (IS_ERR(dir)) { 229 256 dev_err(&dev->dev, "Error creating coco securityfs directory entry err=%ld\n", 230 - PTR_ERR(dent)); 231 - return PTR_ERR(dent); 257 + PTR_ERR(dir)); 258 + return PTR_ERR(dir); 232 259 } 233 - d_inode(dent)->i_op = &efi_secret_dir_inode_operations; 234 - s->fs_dir = dent; 260 + d_inode(dir)->i_op = &efi_secret_dir_inode_operations; 235 261 236 262 bytes_left = h->len - sizeof(*h); 237 263 ptr += sizeof(*h); ··· 246 274 if (efi_guidcmp(e->guid, NULL_GUID)) { 247 275 efi_guid_to_str(&e->guid, guid_str); 248 276 249 - dent = securityfs_create_file(guid_str, 0440, s->fs_dir, (void *)e, 277 + dent = securityfs_create_file(guid_str, 0440, dir, (void *)e, 250 278 &efi_secret_bin_file_fops); 251 279 if (IS_ERR(dent)) { 252 280 dev_err(&dev->dev, "Error creating efi_secret securityfs entry\n"); 253 281 ret = PTR_ERR(dent); 254 282 goto err_cleanup; 255 283 } 256 - 257 - s->fs_files[i++] = dent; 284 + i++; 258 285 } 259 286 ptr += e->len; 260 287 bytes_left -= e->len;
+2 -1
include/linux/security.h
··· 2211 2211 const char *target, 2212 2212 const struct inode_operations *iops); 2213 2213 extern void securityfs_remove(struct dentry *dentry); 2214 - extern void securityfs_recursive_remove(struct dentry *dentry); 2215 2214 2216 2215 #else /* CONFIG_SECURITYFS */ 2217 2216 ··· 2241 2242 {} 2242 2243 2243 2244 #endif 2245 + 2246 + #define securityfs_recursive_remove securityfs_remove 2244 2247 2245 2248 #ifdef CONFIG_BPF_SYSCALL 2246 2249 union bpf_attr;
+1 -1
include/linux/tpm.h
··· 182 182 unsigned long duration[TPM_NUM_DURATIONS]; /* jiffies */ 183 183 bool duration_adjusted; 184 184 185 - struct dentry *bios_dir[TPM_NUM_EVENT_LOG_FILES]; 185 + struct dentry *bios_dir; 186 186 187 187 const struct attribute_group *groups[3 + TPM_MAX_HASHES]; 188 188 unsigned int groups_cnt;
+19 -43
security/inode.c
··· 112 112 struct dentry *dentry; 113 113 struct inode *dir, *inode; 114 114 int error; 115 + bool pinned = false; 115 116 116 117 if (!(mode & S_IFMT)) 117 118 mode = (mode & S_IALLUGO) | S_IFREG; 118 119 119 120 pr_debug("securityfs: creating file '%s'\n",name); 120 121 121 - error = simple_pin_fs(&fs_type, &mount, &mount_count); 122 - if (error) 123 - return ERR_PTR(error); 124 - 125 - if (!parent) 122 + if (!parent) { 123 + error = simple_pin_fs(&fs_type, &mount, &mount_count); 124 + if (error) 125 + return ERR_PTR(error); 126 + pinned = true; 126 127 parent = mount->mnt_root; 128 + } 127 129 128 130 dir = d_inode(parent); 129 131 ··· 161 159 inode->i_fop = fops; 162 160 } 163 161 d_instantiate(dentry, inode); 164 - dget(dentry); 165 162 inode_unlock(dir); 166 163 return dentry; 167 164 ··· 169 168 dentry = ERR_PTR(error); 170 169 out: 171 170 inode_unlock(dir); 172 - simple_release_fs(&mount, &mount_count); 171 + if (pinned) 172 + simple_release_fs(&mount, &mount_count); 173 173 return dentry; 174 174 } 175 175 ··· 281 279 } 282 280 EXPORT_SYMBOL_GPL(securityfs_create_symlink); 283 281 282 + static void remove_one(struct dentry *victim) 283 + { 284 + if (victim->d_parent == victim->d_sb->s_root) 285 + simple_release_fs(&mount, &mount_count); 286 + } 287 + 284 288 /** 285 289 * securityfs_remove - removes a file or directory from the securityfs filesystem 286 290 * ··· 299 291 * This function is required to be called in order for the file to be 300 292 * removed. No automatic cleanup of files will happen when a module is 301 293 * removed; you are responsible here. 294 + * 295 + * AV: when applied to directory it will take all children out; no need to call 296 + * it for descendents if ancestor is getting killed. 302 297 */ 303 298 void securityfs_remove(struct dentry *dentry) 304 - { 305 - struct inode *dir; 306 - 307 - if (IS_ERR_OR_NULL(dentry)) 308 - return; 309 - 310 - dir = d_inode(dentry->d_parent); 311 - inode_lock(dir); 312 - if (simple_positive(dentry)) { 313 - if (d_is_dir(dentry)) 314 - simple_rmdir(dir, dentry); 315 - else 316 - simple_unlink(dir, dentry); 317 - dput(dentry); 318 - } 319 - inode_unlock(dir); 320 - simple_release_fs(&mount, &mount_count); 321 - } 322 - EXPORT_SYMBOL_GPL(securityfs_remove); 323 - 324 - static void remove_one(struct dentry *victim) 325 - { 326 - simple_release_fs(&mount, &mount_count); 327 - } 328 - 329 - /** 330 - * securityfs_recursive_remove - recursively removes a file or directory 331 - * 332 - * @dentry: a pointer to a the dentry of the file or directory to be removed. 333 - * 334 - * This function recursively removes a file or directory in securityfs that was 335 - * previously created with a call to another securityfs function (like 336 - * securityfs_create_file() or variants thereof.) 337 - */ 338 - void securityfs_recursive_remove(struct dentry *dentry) 339 299 { 340 300 if (IS_ERR_OR_NULL(dentry)) 341 301 return; ··· 312 336 simple_recursive_removal(dentry, remove_one); 313 337 simple_release_fs(&mount, &mount_count); 314 338 } 315 - EXPORT_SYMBOL_GPL(securityfs_recursive_remove); 339 + EXPORT_SYMBOL_GPL(securityfs_remove); 316 340 317 341 #ifdef CONFIG_SECURITY 318 342 static struct dentry *lsm_dentry;
+7 -8
security/integrity/evm/evm_secfs.c
··· 17 17 #include "evm.h" 18 18 19 19 static struct dentry *evm_dir; 20 - static struct dentry *evm_init_tpm; 21 20 static struct dentry *evm_symlink; 22 21 23 22 #ifdef CONFIG_EVM_ADD_XATTRS ··· 285 286 { 286 287 evm_xattrs = securityfs_create_file("evm_xattrs", 0660, evm_dir, NULL, 287 288 &evm_xattr_ops); 288 - if (!evm_xattrs || IS_ERR(evm_xattrs)) 289 + if (IS_ERR(evm_xattrs)) 289 290 return -EFAULT; 290 291 291 292 return 0; ··· 300 301 int __init evm_init_secfs(void) 301 302 { 302 303 int error = 0; 304 + struct dentry *dentry; 303 305 304 306 evm_dir = securityfs_create_dir("evm", integrity_dir); 305 - if (!evm_dir || IS_ERR(evm_dir)) 307 + if (IS_ERR(evm_dir)) 306 308 return -EFAULT; 307 309 308 - evm_init_tpm = securityfs_create_file("evm", 0660, 309 - evm_dir, NULL, &evm_key_ops); 310 - if (!evm_init_tpm || IS_ERR(evm_init_tpm)) { 310 + dentry = securityfs_create_file("evm", 0660, 311 + evm_dir, NULL, &evm_key_ops); 312 + if (IS_ERR(dentry)) { 311 313 error = -EFAULT; 312 314 goto out; 313 315 } 314 316 315 317 evm_symlink = securityfs_create_symlink("evm", NULL, 316 318 "integrity/evm/evm", NULL); 317 - if (!evm_symlink || IS_ERR(evm_symlink)) { 319 + if (IS_ERR(evm_symlink)) { 318 320 error = -EFAULT; 319 321 goto out; 320 322 } ··· 328 328 return 0; 329 329 out: 330 330 securityfs_remove(evm_symlink); 331 - securityfs_remove(evm_init_tpm); 332 331 securityfs_remove(evm_dir); 333 332 return error; 334 333 }
+33 -104
security/integrity/ima/ima_fs.c
··· 116 116 seq_putc(m, *(char *)data++); 117 117 } 118 118 119 - static struct dentry **ascii_securityfs_measurement_lists __ro_after_init; 120 - static struct dentry **binary_securityfs_measurement_lists __ro_after_init; 121 - static int securityfs_measurement_list_count __ro_after_init; 122 - 123 - static void lookup_template_data_hash_algo(int *algo_idx, enum hash_algo *algo, 124 - struct seq_file *m, 125 - struct dentry **lists) 126 - { 127 - struct dentry *dentry; 128 - int i; 129 - 130 - dentry = file_dentry(m->file); 131 - 132 - for (i = 0; i < securityfs_measurement_list_count; i++) { 133 - if (dentry == lists[i]) { 134 - *algo_idx = i; 135 - *algo = ima_algo_array[i].algo; 136 - break; 137 - } 138 - } 139 - } 140 - 141 119 /* print format: 142 120 * 32bit-le=pcr# 143 121 * char[n]=template digest ··· 138 160 algo_idx = ima_sha1_idx; 139 161 algo = HASH_ALGO_SHA1; 140 162 141 - if (m->file != NULL) 142 - lookup_template_data_hash_algo(&algo_idx, &algo, m, 143 - binary_securityfs_measurement_lists); 163 + if (m->file != NULL) { 164 + algo_idx = (unsigned long)file_inode(m->file)->i_private; 165 + algo = ima_algo_array[algo_idx].algo; 166 + } 144 167 145 168 /* get entry */ 146 169 e = qe->entry; ··· 235 256 algo_idx = ima_sha1_idx; 236 257 algo = HASH_ALGO_SHA1; 237 258 238 - if (m->file != NULL) 239 - lookup_template_data_hash_algo(&algo_idx, &algo, m, 240 - ascii_securityfs_measurement_lists); 259 + if (m->file != NULL) { 260 + algo_idx = (unsigned long)file_inode(m->file)->i_private; 261 + algo = ima_algo_array[algo_idx].algo; 262 + } 241 263 242 264 /* get entry */ 243 265 e = qe->entry; ··· 376 396 377 397 static struct dentry *ima_dir; 378 398 static struct dentry *ima_symlink; 379 - static struct dentry *binary_runtime_measurements; 380 - static struct dentry *ascii_runtime_measurements; 381 - static struct dentry *runtime_measurements_count; 382 - static struct dentry *violations; 383 - static struct dentry *ima_policy; 384 399 385 400 enum ima_fs_flags { 386 401 IMA_FS_BUSY, ··· 392 417 }; 393 418 #endif 394 419 395 - static void __init remove_securityfs_measurement_lists(struct dentry **lists) 396 - { 397 - int i; 398 - 399 - if (lists) { 400 - for (i = 0; i < securityfs_measurement_list_count; i++) 401 - securityfs_remove(lists[i]); 402 - 403 - kfree(lists); 404 - } 405 - } 406 - 407 420 static int __init create_securityfs_measurement_lists(void) 408 421 { 409 - char file_name[NAME_MAX + 1]; 410 - struct dentry *dentry; 411 - u16 algo; 412 - int i; 413 - 414 - securityfs_measurement_list_count = NR_BANKS(ima_tpm_chip); 422 + int count = NR_BANKS(ima_tpm_chip); 415 423 416 424 if (ima_sha1_idx >= NR_BANKS(ima_tpm_chip)) 417 - securityfs_measurement_list_count++; 425 + count++; 418 426 419 - ascii_securityfs_measurement_lists = 420 - kcalloc(securityfs_measurement_list_count, sizeof(struct dentry *), 421 - GFP_KERNEL); 422 - if (!ascii_securityfs_measurement_lists) 423 - return -ENOMEM; 424 - 425 - binary_securityfs_measurement_lists = 426 - kcalloc(securityfs_measurement_list_count, sizeof(struct dentry *), 427 - GFP_KERNEL); 428 - if (!binary_securityfs_measurement_lists) 429 - return -ENOMEM; 430 - 431 - for (i = 0; i < securityfs_measurement_list_count; i++) { 432 - algo = ima_algo_array[i].algo; 427 + for (int i = 0; i < count; i++) { 428 + u16 algo = ima_algo_array[i].algo; 429 + char file_name[NAME_MAX + 1]; 430 + struct dentry *dentry; 433 431 434 432 sprintf(file_name, "ascii_runtime_measurements_%s", 435 433 hash_algo_name[algo]); 436 434 dentry = securityfs_create_file(file_name, S_IRUSR | S_IRGRP, 437 - ima_dir, NULL, 435 + ima_dir, (void *)(uintptr_t)i, 438 436 &ima_ascii_measurements_ops); 439 437 if (IS_ERR(dentry)) 440 438 return PTR_ERR(dentry); 441 439 442 - ascii_securityfs_measurement_lists[i] = dentry; 443 - 444 440 sprintf(file_name, "binary_runtime_measurements_%s", 445 441 hash_algo_name[algo]); 446 442 dentry = securityfs_create_file(file_name, S_IRUSR | S_IRGRP, 447 - ima_dir, NULL, 443 + ima_dir, (void *)(uintptr_t)i, 448 444 &ima_measurements_ops); 449 445 if (IS_ERR(dentry)) 450 446 return PTR_ERR(dentry); 451 - 452 - binary_securityfs_measurement_lists[i] = dentry; 453 447 } 454 448 455 449 return 0; ··· 477 533 478 534 ima_update_policy(); 479 535 #if !defined(CONFIG_IMA_WRITE_POLICY) && !defined(CONFIG_IMA_READ_POLICY) 480 - securityfs_remove(ima_policy); 481 - ima_policy = NULL; 536 + securityfs_remove(file->f_path.dentry); 482 537 #elif defined(CONFIG_IMA_WRITE_POLICY) 483 538 clear_bit(IMA_FS_BUSY, &ima_fs_flags); 484 539 #elif defined(CONFIG_IMA_READ_POLICY) ··· 496 553 497 554 int __init ima_fs_init(void) 498 555 { 556 + struct dentry *dentry; 499 557 int ret; 500 - 501 - ascii_securityfs_measurement_lists = NULL; 502 - binary_securityfs_measurement_lists = NULL; 503 558 504 559 ima_dir = securityfs_create_dir("ima", integrity_dir); 505 560 if (IS_ERR(ima_dir)) ··· 514 573 if (ret != 0) 515 574 goto out; 516 575 517 - binary_runtime_measurements = 518 - securityfs_create_symlink("binary_runtime_measurements", ima_dir, 576 + dentry = securityfs_create_symlink("binary_runtime_measurements", ima_dir, 519 577 "binary_runtime_measurements_sha1", NULL); 520 - if (IS_ERR(binary_runtime_measurements)) { 521 - ret = PTR_ERR(binary_runtime_measurements); 578 + if (IS_ERR(dentry)) { 579 + ret = PTR_ERR(dentry); 522 580 goto out; 523 581 } 524 582 525 - ascii_runtime_measurements = 526 - securityfs_create_symlink("ascii_runtime_measurements", ima_dir, 583 + dentry = securityfs_create_symlink("ascii_runtime_measurements", ima_dir, 527 584 "ascii_runtime_measurements_sha1", NULL); 528 - if (IS_ERR(ascii_runtime_measurements)) { 529 - ret = PTR_ERR(ascii_runtime_measurements); 585 + if (IS_ERR(dentry)) { 586 + ret = PTR_ERR(dentry); 530 587 goto out; 531 588 } 532 589 533 - runtime_measurements_count = 534 - securityfs_create_file("runtime_measurements_count", 590 + dentry = securityfs_create_file("runtime_measurements_count", 535 591 S_IRUSR | S_IRGRP, ima_dir, NULL, 536 592 &ima_measurements_count_ops); 537 - if (IS_ERR(runtime_measurements_count)) { 538 - ret = PTR_ERR(runtime_measurements_count); 593 + if (IS_ERR(dentry)) { 594 + ret = PTR_ERR(dentry); 539 595 goto out; 540 596 } 541 597 542 - violations = 543 - securityfs_create_file("violations", S_IRUSR | S_IRGRP, 598 + dentry = securityfs_create_file("violations", S_IRUSR | S_IRGRP, 544 599 ima_dir, NULL, &ima_htable_violations_ops); 545 - if (IS_ERR(violations)) { 546 - ret = PTR_ERR(violations); 600 + if (IS_ERR(dentry)) { 601 + ret = PTR_ERR(dentry); 547 602 goto out; 548 603 } 549 604 550 - ima_policy = securityfs_create_file("policy", POLICY_FILE_FLAGS, 605 + dentry = securityfs_create_file("policy", POLICY_FILE_FLAGS, 551 606 ima_dir, NULL, 552 607 &ima_measure_policy_ops); 553 - if (IS_ERR(ima_policy)) { 554 - ret = PTR_ERR(ima_policy); 608 + if (IS_ERR(dentry)) { 609 + ret = PTR_ERR(dentry); 555 610 goto out; 556 611 } 557 612 558 613 return 0; 559 614 out: 560 - securityfs_remove(ima_policy); 561 - securityfs_remove(violations); 562 - securityfs_remove(runtime_measurements_count); 563 - securityfs_remove(ascii_runtime_measurements); 564 - securityfs_remove(binary_runtime_measurements); 565 - remove_securityfs_measurement_lists(ascii_securityfs_measurement_lists); 566 - remove_securityfs_measurement_lists(binary_securityfs_measurement_lists); 567 - securityfs_measurement_list_count = 0; 568 615 securityfs_remove(ima_symlink); 569 616 securityfs_remove(ima_dir); 570 617
+12 -20
security/ipe/fs.c
··· 12 12 #include "policy.h" 13 13 #include "audit.h" 14 14 15 - static struct dentry *np __ro_after_init; 16 15 static struct dentry *root __ro_after_init; 17 16 struct dentry *policy_root __ro_after_init; 18 - static struct dentry *audit_node __ro_after_init; 19 - static struct dentry *enforce_node __ro_after_init; 20 17 21 18 /** 22 19 * setaudit() - Write handler for the securityfs node, "ipe/success_audit" ··· 197 200 { 198 201 int rc = 0; 199 202 struct ipe_policy *ap; 203 + struct dentry *dentry; 200 204 201 205 if (!ipe_enabled) 202 206 return -EOPNOTSUPP; 203 207 204 208 root = securityfs_create_dir("ipe", NULL); 205 - if (IS_ERR(root)) { 206 - rc = PTR_ERR(root); 207 - goto err; 208 - } 209 + if (IS_ERR(root)) 210 + return PTR_ERR(root); 209 211 210 - audit_node = securityfs_create_file("success_audit", 0600, root, 212 + dentry = securityfs_create_file("success_audit", 0600, root, 211 213 NULL, &audit_fops); 212 - if (IS_ERR(audit_node)) { 213 - rc = PTR_ERR(audit_node); 214 + if (IS_ERR(dentry)) { 215 + rc = PTR_ERR(dentry); 214 216 goto err; 215 217 } 216 218 217 - enforce_node = securityfs_create_file("enforce", 0600, root, NULL, 219 + dentry = securityfs_create_file("enforce", 0600, root, NULL, 218 220 &enforce_fops); 219 - if (IS_ERR(enforce_node)) { 220 - rc = PTR_ERR(enforce_node); 221 + if (IS_ERR(dentry)) { 222 + rc = PTR_ERR(dentry); 221 223 goto err; 222 224 } 223 225 ··· 233 237 goto err; 234 238 } 235 239 236 - np = securityfs_create_file("new_policy", 0200, root, NULL, &np_fops); 237 - if (IS_ERR(np)) { 238 - rc = PTR_ERR(np); 240 + dentry = securityfs_create_file("new_policy", 0200, root, NULL, &np_fops); 241 + if (IS_ERR(dentry)) { 242 + rc = PTR_ERR(dentry); 239 243 goto err; 240 244 } 241 245 242 246 return 0; 243 247 err: 244 - securityfs_remove(np); 245 - securityfs_remove(policy_root); 246 - securityfs_remove(enforce_node); 247 - securityfs_remove(audit_node); 248 248 securityfs_remove(root); 249 249 return rc; 250 250 }
+2 -2
security/ipe/policy_fs.c
··· 438 438 */ 439 439 void ipe_del_policyfs_node(struct ipe_policy *p) 440 440 { 441 - securityfs_recursive_remove(p->policyfs); 441 + securityfs_remove(p->policyfs); 442 442 p->policyfs = NULL; 443 443 } 444 444 ··· 485 485 486 486 return 0; 487 487 err: 488 - securityfs_recursive_remove(policyfs); 488 + securityfs_remove(policyfs); 489 489 return rc; 490 490 }