On 09/05/14 06:10, J. R. Okajima wrote: > Dmitry Kasatkin: >> Following patch replaces IMA usage of kernel_read() with special >> version which skips security check that triggers kernel panic >> when Apparmor and IMA appraisal are enabled together. > I know this is related to exit(2), but this behaviour of IMA is related > to open(2) too. > When O_DIRECT is specified, some filesystems (for example, ext2) call > do_blockdev_direct_IO() which acquires i_mutex. But > IMA:process_measurement() already acquires i_mutex before kernel_read(). > It causes a deadlock even if you replace kernel_read() by a simpler one.
Hi, It is a different issue. I made patch more than a year ago which fix the problem https://lkml.org/lkml/2013/2/20/601 I think we had to declare the purpose of the patch in a bit different way. IMA really does not need direct-io, and can temporarily drop the flag. As side affect, it would fix the deadlock problem But I have a different patch now. I will post it today. > How can we stop reading the file from IMA? It is actually very interesting question... 1) if you would like to use IMA without it reading a file, then I think I must disappoint you. It is not possible.. IMA needs reading a file. 2) if you do not use IMA, then there is no problem for you, because IMA will not read file if it is not used... Have a nice day. - Dmitry > > J. R. Okajima > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
