Bug 585286

Summary: IMA breaks users of the dentry_open kernel interface
Product: Red Hat Enterprise Linux 6 Reporter: Simon Wilkinson <simon>
Component: kernelAssignee: Red Hat Kernel Manager <kernel-mgr>
Status: CLOSED DUPLICATE QA Contact: Red Hat Kernel QE team <kernel-qe>
Severity: medium Docs Contact:
Priority: low    
Version: 6.1CC: eparis, esandeen, jedgecombe, ktdreyer, stephan.wiesand
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-23 18:14:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Simon Wilkinson 2010-04-23 15:40:57 UTC
Description of problem:

The IMA subsystem adds an asymmetric interface to monitoring files. That is, in-kernel users of the dentry_open interface must register their open files with IMA, but the registrations are automatically deregistered by filp_close. IMA provides verbose debugging output if it sees a file being deregistered that wasn't registered earlier.

ima_path_check(), which must be used to perform the registration, is a GPL-only symbol, so enabling IMA in effect breaks the dentry_open interface for non-GPL kernel modules. Whilst such modules can continue to function, the volume of debugging produced by IMA (a dump_stack every time a file is closed) seriously hampers the performance of the machine.

Whilst this is a general problem, in particular it breaks the Linux version of OpenAFS, which uses the dentry_open interface to access its cache files.

I raised this problem on the linux-security-module list in December 2009, and as a result the IMA interface was redesigned to remove the asymmetry of the register/unregister process. Those changes are in 2.6.33 - see the thread beginning at http://osdir.com/ml/linux-security-module/2009-12/msg00015.html for more details.

Many institutional users of OpenAFS use it with RHEL, so it would be great to have this fixed before the final release.

Comment 3 RHEL Product and Program Management 2010-04-23 17:51:12 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Comment 4 Eric Paris 2010-04-23 18:14:20 UTC
I am going to mark this a duplicate of BZ 584901.  Even though this BZ has a much better description of the real problem, that one was opened first.  You should be able to find a patch which applies against RHEL6 in that BZ which should take care of this problem.  I will be proposing that patch for inclusion in RHEL6 although it's final determination is not yet known.

*** This bug has been marked as a duplicate of bug 584901 ***

Comment 5 Stephan Wiesand 2010-04-24 19:20:51 UTC
#584901 is private - would it be possible to make it accessible? I'd really like to keep track of this issue. Thanks.