Re: [RFC] IMA LSM based rule race condition issue on 4.19 LTS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2022/12/9 17:32, Guozihua (Scott) wrote:
> On 2022/12/9 17:22, Greg KH wrote:
>> On Fri, Dec 09, 2022 at 05:11:40PM +0800, Guozihua (Scott) wrote:
>>> On 2022/12/9 17:00, Greg KH wrote:
>>>> On Fri, Dec 09, 2022 at 04:59:17PM +0800, Guozihua (Scott) wrote:
>>>>> On 2022/12/9 16:46, Greg KH wrote:
>>>>>> On Fri, Dec 09, 2022 at 03:53:25PM +0800, Guozihua (Scott) wrote:
>>>>>>> On 2022/12/9 15:12, Greg KH wrote:
>>>>>>>> On Fri, Dec 09, 2022 at 03:00:35PM +0800, Guozihua (Scott) wrote:
>>>>>>>>> Hi community.
>>>>>>>>>
>>>>>>>>> Previously our team reported a race condition in IMA relates to LSM based
>>>>>>>>> rules which would case IMA to match files that should be filtered out under
>>>>>>>>> normal condition. The issue was originally analyzed and fixed on mainstream.
>>>>>>>>> The patch and the discussion could be found here:
>>>>>>>>> https://lore.kernel.org/all/20220921125804.59490-1-guozihua@xxxxxxxxxx/
>>>>>>>>>
>>>>>>>>> After that, we did a regression test on 4.19 LTS and the same issue arises.
>>>>>>>>> Further analysis reveled that the issue is from a completely different
>>>>>>>>> cause.
>>>>>>>>
>>>>>>>> What commit in the tree fixed this in newer kernels?  Why can't we just
>>>>>>>> backport that one to 4.19.y as well?
>>>>>>>>
>>>>>>>> thanks,
>>>>>>>>
>>>>>>>> greg k-h
>>>>>>>
>>>>>>> Hi Greg,
>>>>>>>
>>>>>>> The fix for mainline is now on linux-next, commit 	d57378d3aa4d ("ima:
>>>>>>> Simplify ima_lsm_copy_rule") and 	c7423dbdbc9ece ("ima: Handle -ESTALE
>>>>>>> returned by ima_filter_rule_match()"). However, these patches cannot be
>>>>>>> picked directly into 4.19.y due to code difference.
>>>>>>
>>>>>> Ok, so it's much more than just 4.19 that's an issue here.  And are
>>>>>> those commits tagged for stable inclusion?
>>>>>
>>>>> Not actually, not on the commit itself.
>>>>
>>>> That's not good.  When they hit Linus's tree, please submit backports to
>>>> the stable mailing list so that they can be picked up.
>>> Thing is these commits cannot be simply backported to 4.19.y. Preceding
>>> patches are missing. How do we do backporting in this situation? Do we
>>> first backport the preceding patches? Or maybe we develop another
>>> solution for 4.19.y?
>>
>> First they need to go to newer kernel trees, and then worry about 4.19.
>> We never want anyone to upgrade to a newer kernel and have a regression.
>>
>> Also, we can't do anything until they hit Linus's tree, as per the
>> stable kernel rules.
> Alright. We'll wait for these patches to be in Linus' tree. But should
> we stick to a backport from mainstream or we form a different solution
> for LTS?
> 
BTW, I have a look into it and if we are backporting mainstream's
solution, we would also needs to backport b16942455193 ("ima: use the
lsm policy update notifier")
-- 
Best
GUO Zihua




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux