ima: process_measurement() needlessly takes inode_lock() on MAY_READ

On IMA policy update, if a measure rule exists in the policy, IMA_MEASURE is set for ima_policy_flags which makes the violation_check variable always true. Coupled with a no-action on MAY_READ for a FILE_CHECK call, we're always taking the inode_lock(). This becomes a performance problem for extremely heavy read-only workloads. Therefore, prevent this only in the case there's no action to be taken. Signed-off-by: Frederick Lawler <fred@cloudflare.com> Acked-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
author: Frederick Lawler <fred@cloudflare.com> 2025-03-27 11:09:11 -0500
committer: Roberto Sassu <roberto.sassu@huawei.com> 2025-04-22 16:39:32 +0200
commit: 30d68cb0c37ebe2dc63aa1d46a28b9163e61caa2 (patch)
tree: 2d530ebf3a0d053e068146932c307007fa25f188 /security
parent: 9c32cda43eb78f78c73aee4aa344b777714e259b (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index f3e7ac513db3..f99ab1a3b0f0 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -245,7 +245,9 @@ static int process_measurement(struct file *file, const struct cred *cred,
 				&allowed_algos);
 	violation_check = ((func == FILE_CHECK || func == MMAP_CHECK ||
 			    func == MMAP_CHECK_REQPROT) &&
-			   (ima_policy_flag & IMA_MEASURE));
+			   (ima_policy_flag & IMA_MEASURE) &&
+			   ((action & IMA_MEASURE) ||
+			    (file->f_mode & FMODE_WRITE)));
 	if (!action && !violation_check)
 		return 0;
author	Frederick Lawler <fred@cloudflare.com>	2025-03-27 11:09:11 -0500
committer	Roberto Sassu <roberto.sassu@huawei.com>	2025-04-22 16:39:32 +0200
commit	30d68cb0c37ebe2dc63aa1d46a28b9163e61caa2 (patch)
tree	2d530ebf3a0d053e068146932c307007fa25f188 /security
parent	9c32cda43eb78f78c73aee4aa344b777714e259b (diff)