On Tue, 2022-12-27 at 09:46 +0800, GUO Zihua wrote:
> commit c7423dbdbc9e ("ima: Handle -ESTALE returned by
> ima_filter_rule_match()") introduced the handling of -ESTALE returned by
> security_audit_rule_match(). However, security_audit_rule_match() might
> return other error codes if some error occurred. We should handle those
> error codes as well.
>
> Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
> Signed-off-by: GUO Zihua <guozihua@xxxxxxxxxx>
> ---
> security/integrity/ima/ima_policy.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 6a68ec270822..5561e1b2c376 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -663,7 +663,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
> break;
> }
>
> - if (rc == -ESTALE && !rule_reinitialized) {
> + if (rc < 0 && !rule_reinitialized) {
Which other error codes are resolved by retrying?
> lsm_rule = ima_lsm_copy_rule(rule);
> if (lsm_rule) {
> rule_reinitialized = true;
--
Thanks,
Mimi
