mbox series

[v6,0/3] ima: Fix IMA mishandling of LSM based rule during

Message ID 20230105062312.14325-1-guozihua@huawei.com (mailing list archive)
Headers show
Series ima: Fix IMA mishandling of LSM based rule during | expand

Message

Guozihua (Scott) Jan. 5, 2023, 6:23 a.m. UTC 
Backports the following three patches to fix the issue of IMA mishandling
LSM based rule during LSM policy update, causing a file to match an
unexpected rule.

v6:
  Removed the redundent i in ima_free_rule().

v5:
  goes back to ima_lsm_free_rule() instead to avoid freeing
rule->fsname.

v4:
  Make use of the exisiting ima_free_rule() instead of backported
ima_lsm_free_rule(). Which resolves additional memory leak issues.

v3:
  Backport "LSM: switch to blocking policy update notifiers" as well, as
the prerequsite of "ima: use the lsm policy update notifier".

v2:
  Re-adjust the bacported logic.

GUO Zihua (1):
  ima: Handle -ESTALE returned by ima_filter_rule_match()

Janne Karhunen (2):
  LSM: switch to blocking policy update notifiers
  ima: use the lsm policy update notifier

 drivers/infiniband/core/device.c    |   4 +-
 include/linux/security.h            |  12 +--
 security/integrity/ima/ima.h        |   2 +
 security/integrity/ima/ima_main.c   |   8 ++
 security/integrity/ima/ima_policy.c | 151 ++++++++++++++++++++++------
 security/security.c                 |  23 +++--
 security/selinux/hooks.c            |   2 +-
 security/selinux/selinuxfs.c        |   2 +-
 8 files changed, 155 insertions(+), 49 deletions(-)

Comments

Greg Kroah-Hartman Jan. 5, 2023, 11:47 a.m. UTC | #1 
On Thu, Jan 05, 2023 at 02:23:09PM +0800, GUO Zihua wrote:
> Backports the following three patches to fix the issue of IMA mishandling
> LSM based rule during LSM policy update, causing a file to match an
> unexpected rule.
> 
> v6:
>   Removed the redundent i in ima_free_rule().

Given the huge numbers of revisions in this series, I suggest working
together with the relevant subsystem maintainers to get a final,
working, agreed-apon version before submitting it again.

thanks,

greg k-h
Mimi Zohar Jan. 10, 2023, 1:30 p.m. UTC | #2 
On Thu, 2023-01-05 at 12:47 +0100, Greg KH wrote:
> On Thu, Jan 05, 2023 at 02:23:09PM +0800, GUO Zihua wrote:
> > Backports the following three patches to fix the issue of IMA mishandling
> > LSM based rule during LSM policy update, causing a file to match an
> > unexpected rule.
> > 
> > v6:
> >   Removed the redundent i in ima_free_rule().
> 
> Given the huge numbers of revisions in this series, I suggest working
> together with the relevant subsystem maintainers to get a final,
> working, agreed-apon version before submitting it again.

There was one minor change to v6, which is addressed in v7.  Paul has
reviewed the LSM/SELinux pieces.  I'd appreciate v7 of this patch set
be applied to stable 4.19.

FYI, commit c7423dbdbc9e ("ima: Handle -ESTALE returned by
ima_filter_rule_match()") has already been backported to other stable
branches.