IMA,LSM: Uncover hidden variable in ima_match_rules()

Message ID	77003d04-f3a4-46b1-9368-510b529fda44@schaufler-ca.com (mailing list archive)
State	New
Headers	show Received: from sonic308-15.consmr.mail.ne1.yahoo.com (sonic308-15.consmr.mail.ne1.yahoo.com [66.163.187.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B4B0E1DD879 for <linux-integrity@vger.kernel.org>; Tue, 26 Nov 2024 18:21:32 +0000 (UTC) Message-ID: <77003d04-f3a4-46b1-9368-510b529fda44@schaufler-ca.com> Date: Tue, 26 Nov 2024 10:21:20 -0800 Precedence: bulk MIME-Version: 1.0 User-Agent: Mozilla Thunderbird From: Casey Schaufler <casey@schaufler-ca.com> Subject: [PATCH] IMA,LSM: Uncover hidden variable in ima_match_rules() To: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>, linux-integrity@vger.kernel.org, Paul Moore <paul@paul-moore.com> Cc: Mimi Zohar <zohar@linux.ibm.com>, "M: Roberto Sassu" <roberto.sassu@huawei.com>, "M: Dmitry Kasatkin" <dmitry.kasatkin@gmail.com>, "R: Eric Snowberg" <eric.snowberg@oracle.com>, Casey Schaufler <casey@schaufler-ca.com>, LSM List <linux-security-module@vger.kernel.org> References: <CAJ2a_DeUX9UdAYOo9OwG-yXSH1etKQZortPcyxfzG70K3N+g7g@mail.gmail.com> Content-Language: en-US In-Reply-To: <CAJ2a_DeUX9UdAYOo9OwG-yXSH1etKQZortPcyxfzG70K3N+g7g@mail.gmail.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit
Series	IMA,LSM: Uncover hidden variable in ima_match_rules() \| expand IMA,LSM: Uncover hidden variable in ima_match_rules()

Message ID

77003d04-f3a4-46b1-9368-510b529fda44@schaufler-ca.com (mailing list archive)

State

New

Headers

Message-ID: <77003d04-f3a4-46b1-9368-510b529fda44@schaufler-ca.com>
Date: Tue, 26 Nov 2024 10:21:20 -0800
Precedence: bulk
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
From: Casey Schaufler <casey@schaufler-ca.com>
Subject: [PATCH] IMA,LSM: Uncover hidden variable in ima_match_rules()
To: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>,
 linux-integrity@vger.kernel.org, Paul Moore <paul@paul-moore.com>
Cc: Mimi Zohar <zohar@linux.ibm.com>,
 "M: Roberto Sassu" <roberto.sassu@huawei.com>,
 "M: Dmitry Kasatkin" <dmitry.kasatkin@gmail.com>,
 "R: Eric Snowberg" <eric.snowberg@oracle.com>,
 Casey Schaufler <casey@schaufler-ca.com>,
 LSM List <linux-security-module@vger.kernel.org>
References: 
 <CAJ2a_DeUX9UdAYOo9OwG-yXSH1etKQZortPcyxfzG70K3N+g7g@mail.gmail.com>
Content-Language: en-US
In-Reply-To: 
 <CAJ2a_DeUX9UdAYOo9OwG-yXSH1etKQZortPcyxfzG70K3N+g7g@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Series

IMA,LSM: Uncover hidden variable in ima_match_rules() | expand

Commit Message

Casey Schaufler Nov. 26, 2024, 6:21 p.m. UTC

The variable name "prop" is inadvertently used twice in
ima_match_rules(), resulting in incorrect use of the local
variable when the function parameter should have been.
Rename the local variable and correct the use if the parameter.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Suggested-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 security/integrity/ima/ima_policy.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

Comments

Paul Moore Nov. 27, 2024, 4:02 a.m. UTC | #1

On Tue, Nov 26, 2024 at 1:21 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> The variable name "prop" is inadvertently used twice in
> ima_match_rules(), resulting in incorrect use of the local
> variable when the function parameter should have been.
> Rename the local variable and correct the use if the parameter.

/if/of/

> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> Suggested-by: Roberto Sassu <roberto.sassu@huawei.com>
> Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
> ---
>  security/integrity/ima/ima_policy.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)

Aside from the typo above (which can be fixed during the merge) this
looks good to me.  Based on the discussion in the previous revision it
looks like Roberto would prefer this go via the LSM tree, so I'm going
to merge this into lsm/stable-6.13 and send this up to Linus later
this week (or early next depending on how my holiday travels go);
additional testing is always welcome :)

I'm also going to swap Roberto's reviewed-by tag for his ack which he
gave on the previous revision as this is touching IMA code.

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index dbfd554b4624..21a8e54c383f 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -635,7 +635,7 @@  static bool ima_match_rules(struct ima_rule_entry *rule,
 		return false;
 	for (i = 0; i < MAX_LSM_RULES; i++) {
 		int rc = 0;
-		struct lsm_prop prop = { };
+		struct lsm_prop inode_prop = { };
 
 		if (!lsm_rule->lsm[i].rule) {
 			if (!lsm_rule->lsm[i].args_p)
@@ -649,15 +649,16 @@  static bool ima_match_rules(struct ima_rule_entry *rule,
 		case LSM_OBJ_USER:
 		case LSM_OBJ_ROLE:
 		case LSM_OBJ_TYPE:
-			security_inode_getlsmprop(inode, &prop);
-			rc = ima_filter_rule_match(&prop, lsm_rule->lsm[i].type,
+			security_inode_getlsmprop(inode, &inode_prop);
+			rc = ima_filter_rule_match(&inode_prop,
+						   lsm_rule->lsm[i].type,
 						   Audit_equal,
 						   lsm_rule->lsm[i].rule);
 			break;
 		case LSM_SUBJ_USER:
 		case LSM_SUBJ_ROLE:
 		case LSM_SUBJ_TYPE:
-			rc = ima_filter_rule_match(&prop, lsm_rule->lsm[i].type,
+			rc = ima_filter_rule_match(prop, lsm_rule->lsm[i].type,
 						   Audit_equal,
 						   lsm_rule->lsm[i].rule);
 			break;

IMA,LSM: Uncover hidden variable in ima_match_rules()

Commit Message

Comments

Patch