On 2022/9/22 19:09, Mimi Zohar wrote:
Hi Scott, On Wed, 2022-09-21 at 20:58 +0800, GUO Zihua wrote:} - if (!rc) - return false; + + if (rc == -ESTALE && !rule_reinitialized) {Ok, this limits allocating ima_lsm_copy_rule() to the first -ESTALE,+ lsm_rule = ima_lsm_copy_rule(rule); + if (lsm_rule) { + rule_reinitialized = true; + goto retry;but "retry" is also limited to the first -ESTALE.
Technically we would only need one retry. This loop is looping on all the lsm members of one rule, and ima_lsm_copy_rule would update all the lsm members of this rule. The "lsm member" here refers to LSM defined properties like obj_user, obj_role etc. These members are of AND relation, meaning all lsm members together would form one LSM rule.
As of the scenario you mentioned, I think it should be really rare. Spending to much time and code on this might not worth it.
+ } + } + if (!rc) { + result = false; + goto out; + } } - return true; + result = true; + +out: + if (rule_reinitialized) { + for (i = 0; i < MAX_LSM_RULES; i++) + ima_filter_rule_free(lsm_rule->lsm[i].rule); + kfree(lsm_rule); + } + return result; }
-- Best GUO Zihua
