On 11/25/2024 3:38 AM, Christian Göttsche wrote:
> Hi,
>
> I noticed that the `prop` parameter of `ima_match_rules()` is
> currently unused (due to shadowing).
> Is that by design or a mishap of the recent rework?
>
> Related commits:
>
> 37f670a ("lsm: use lsm_prop in security_current_getsecid")
> 870b7fd ("lsm: use lsm_prop in security_audit_rule_match")
> 07f9d2c ("lsm: use lsm_prop in security_inode_getsecid")
The shadowing was inadvertent. The use of lsm_prop data is
corrected by this patch.
---
security/integrity/ima/ima_policy.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index dbfd554b4624..21a8e54c383f 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -635,7 +635,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
return false;
for (i = 0; i < MAX_LSM_RULES; i++) {
int rc = 0;
- struct lsm_prop prop = { };
+ struct lsm_prop inode_prop = { };
if (!lsm_rule->lsm[i].rule) {
if (!lsm_rule->lsm[i].args_p)
@@ -649,15 +649,16 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
case LSM_OBJ_USER:
case LSM_OBJ_ROLE:
case LSM_OBJ_TYPE:
- security_inode_getlsmprop(inode, &prop);
- rc = ima_filter_rule_match(&prop, lsm_rule->lsm[i].type,
+ security_inode_getlsmprop(inode, &inode_prop);
+ rc = ima_filter_rule_match(&inode_prop,
+ lsm_rule->lsm[i].type,
Audit_equal,
lsm_rule->lsm[i].rule);
break;
case LSM_SUBJ_USER:
case LSM_SUBJ_ROLE:
case LSM_SUBJ_TYPE:
- rc = ima_filter_rule_match(&prop, lsm_rule->lsm[i].type,
+ rc = ima_filter_rule_match(prop, lsm_rule->lsm[i].type,
Audit_equal,
lsm_rule->lsm[i].rule);
break;
