On 2022/12/27 19:22, Mimi Zohar wrote:
> On Tue, 2022-12-27 at 09:46 +0800, GUO Zihua wrote:
>> commit c7423dbdbc9e ("ima: Handle -ESTALE returned by
>> ima_filter_rule_match()") introduced the handling of -ESTALE returned by
>> security_audit_rule_match(). However, security_audit_rule_match() might
>> return other error codes if some error occurred. We should handle those
>> error codes as well.
>>
>> Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
>> Signed-off-by: GUO Zihua <guozihua@xxxxxxxxxx>
>> ---
>> security/integrity/ima/ima_policy.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
>> index 6a68ec270822..5561e1b2c376 100644
>> --- a/security/integrity/ima/ima_policy.c
>> +++ b/security/integrity/ima/ima_policy.c
>> @@ -663,7 +663,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
>> break;
>> }
>>
>> - if (rc == -ESTALE && !rule_reinitialized) {
>> + if (rc < 0 && !rule_reinitialized) {
>
> Which other error codes are resolved by retrying?
Well I re-checked security_audit_rule_match() and it seems that only
-ESTALE can be handled. This patch could be ignored.
>
>> lsm_rule = ima_lsm_copy_rule(rule);
>> if (lsm_rule) {
>> rule_reinitialized = true;
>
--
Best
GUO Zihua
