On 2023/1/4 15:52, GUO Zihua wrote: > Backports the following three patches to fix the issue of IMA mishandling > LSM based rule during LSM policy update, causing a file to match an > unexpected rule. > > v4: > Make use of the exisiting ima_free_rule() instead of backported > ima_lsm_free_rule(). Which resolves additional memory leak issues. Using ima_free_rule() might cause an UAF on rule->fsname. Maybe using v3 would be better. > > v3: > Backport "LSM: switch to blocking policy update notifiers" as well, as > the prerequsite of "ima: use the lsm policy update notifier". > > v2: > Re-adjust the bacported logic. > > GUO Zihua (1): > ima: Handle -ESTALE returned by ima_filter_rule_match() > > Janne Karhunen (2): > LSM: switch to blocking policy update notifiers > ima: use the lsm policy update notifier > > drivers/infiniband/core/device.c | 4 +- > include/linux/security.h | 12 +-- > security/integrity/ima/ima.h | 2 + > security/integrity/ima/ima_main.c | 8 ++ > security/integrity/ima/ima_policy.c | 136 ++++++++++++++++++++++------ > security/security.c | 23 +++-- > security/selinux/hooks.c | 2 +- > security/selinux/selinuxfs.c | 2 +- > 8 files changed, 143 insertions(+), 46 deletions(-) > -- Best GUO Zihua
