On Wed, Aug 26, 2020 at 11:14 AM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: > > The IMA interfaces ima_get_action() and ima_match_policy() > call LSM functions that use lsmblobs. Change the IMA functions > to pass the lsmblob to be compatible with the LSM functions. > > Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx> > Reviewed-by: John Johansen <john.johansen@xxxxxxxxxxxxx> > Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx> > Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> > cc: linux-integrity@xxxxxxxxxxxxxxx > --- > security/integrity/ima/ima.h | 11 +++++---- > security/integrity/ima/ima_api.c | 10 ++++---- > security/integrity/ima/ima_appraise.c | 6 ++--- > security/integrity/ima/ima_main.c | 35 +++++++++++---------------- > security/integrity/ima/ima_policy.c | 14 +++++------ > 5 files changed, 34 insertions(+), 42 deletions(-) ... > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index a86b35dad4fa..b057c758b430 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -519,7 +519,6 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, > case LSM_SUBJ_USER: > case LSM_SUBJ_ROLE: > case LSM_SUBJ_TYPE: > - lsmblob_init(&lsmdata, secid); > rc = ima_filter_rule_match(&lsmdata, rule->lsm[i].type, > Audit_equal, > rule->lsm[i].rules); I'm jumping across patches in this patchset so I may have missed something, but I think the ima_filter_rule_match() call should be using the passed "blob" pointer and not the local "lsmdata" right? If this is correct, I think this patch can also remove the local "lsmdata" as well. -- paul moore www.paul-moore.com