Hi Scott,
On Thu, 2022-08-18 at 10:05 +0800, GUO Zihua wrote:
> IMA relies on lsm policy update notifier to be notified when it should
> update it's lsm rules.
^IMA relies on the blocking LSM policy notifier callback to update the
LSM based IMA policy rules.
> When SELinux update it's policies, ima would be notified and starts
> updating all its lsm rules one-by-one. During this time, -ESTALE would
> be returned by ima_filter_rule_match() if it is called with a lsm rule
> that has not yet been updated. In ima_match_rules(), -ESTALE is not
> handled, and the lsm rule is considered a match, causing extra files
> be measured by IMA.
>
> Fix it by retrying for at most three times if -ESTALE is returned by
> ima_filter_rule_match().
With the lazy LSM policy update, retrying only once was needed. With
the blocking LSM notifier callback, why is three times needed? Is this
really a function of how long it takes IMA to walk and update ALL the
LSM based IMA policy rules? Would having SELinux wait for the -ESTALE
to change do anything?
>
> Fixes: b16942455193 ("ima: use the lsm policy update notifier")
> Signed-off-by: GUO Zihua <guozihua@xxxxxxxxxx>
thanks,
Mimi
