On Tue, 2010-12-21 at 14:38 -0800, Andrew Morton wrote: > On Mon, 20 Dec 2010 08:37:03 -0500 > Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > > > If security_filter_rule_init() doesn't return a rule, then not everything > > is as fine as the return code implies. > > > > This bug only occurs when the LSM (eg. SELinux) is disabled at runtime. > > > > Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxx> > > Cc: Stable Kernel <stable@xxxxxxxxxx> > > --- > > security/integrity/ima/ima_policy.c | 2 ++ > > 1 files changed, 2 insertions(+), 0 deletions(-) > > > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > > index aef8c0a..d661afb 100644 > > --- a/security/integrity/ima/ima_policy.c > > +++ b/security/integrity/ima/ima_policy.c > > @@ -253,6 +253,8 @@ static int ima_lsm_rule_init(struct ima_measure_rule_entry *entry, > > result = security_filter_rule_init(entry->lsm[lsm_rule].type, > > Audit_equal, args, > > &entry->lsm[lsm_rule].rule); > > + if (!entry->lsm[lsm_rule].rule) > > + return -EINVAL; > > return result; > > } > > > > You've cc'ed -stable but you didn't tell us what are the user-visible > effects of this bug. This makes it rather hard for others to > understand why you believe the patch should be backported. Adding an empty LSM rule causes ima_match_rules() to always succeed, ignoring any remaining rules. default IMA TCB policy: # PROC_SUPER_MAGIC dont_measure fsmagic=0x9fa0 # SYSFS_MAGIC dont_measure fsmagic=0x62656572 # DEBUGFS_MAGIC dont_measure fsmagic=0x64626720 # TMPFS_MAGIC dont_measure fsmagic=0x01021994 # SECURITYFS_MAGIC dont_measure fsmagic=0x73636673 < LSM specific rule > dont_measure obj_type=var_log_t measure func=BPRM_CHECK measure func=FILE_MMAP mask=MAY_EXEC measure func=FILE_CHECK mask=MAY_READ uid=0 Thus without the patch, with the boot parameters 'tcb selinux=0', adding the above 'dont_measure obj_type=var_log_t' rule to the default IMA TCB measurement policy, would result in nothing being measuring. The patch prevents the default TCB policy from being replaced. Mimi -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
