Backports the following three patches to fix the issue of IMA mishandling LSM based rule during LSM policy update, causing a file to match an unexpected rule. v7: Fixed the target for free in ima_lsm_copy_rule(). v6: Removed the redundent i in ima_free_rule(). v5: goes back to ima_lsm_free_rule() instead to avoid freeing rule->fsname. v4: Make use of the exisiting ima_free_rule() instead of backported ima_lsm_free_rule(). Which resolves additional memory leak issues. v3: Backport "LSM: switch to blocking policy update notifiers" as well, as the prerequsite of "ima: use the lsm policy update notifier". v2: Re-adjust the bacported logic. GUO Zihua (1): ima: Handle -ESTALE returned by ima_filter_rule_match() Janne Karhunen (2): LSM: switch to blocking policy update notifiers ima: use the lsm policy update notifier drivers/infiniband/core/device.c | 4 +- include/linux/security.h | 12 +-- security/integrity/ima/ima.h | 2 + security/integrity/ima/ima_main.c | 8 ++ security/integrity/ima/ima_policy.c | 151 ++++++++++++++++++++++------ security/security.c | 23 +++-- security/selinux/hooks.c | 2 +- security/selinux/selinuxfs.c | 2 +- 8 files changed, 155 insertions(+), 49 deletions(-) -- 2.17.1