Re: Race conditioned discovered between ima_match_rules and ima_update_lsm_update_rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Aug 7, 2022 at 11:19 PM Guozihua (Scott) <guozihua@xxxxxxxxxx> wrote:
>
> On 2022/8/8 11:02, Guozihua (Scott) wrote:
> > Hi Community,
> >
> > Recently we discovered a race condition while updating SELinux policy
> > with IMA lsm rule enabled. Which would lead to extra files being measured.
> >
> > While SELinux policy is updated, the IDs for object types and such would
> > be changed, and ima_lsm_update_rules would be called.
> >
> > There are no lock applied in ima_lsm_update_rules. If user accesses a
> > file during this time, ima_match_rules will be matching rules based on
> > old SELinux au_seqno resulting in selinux_audit_rule_match returning
> > -ESTALE.
> >
> > However, in ima_match_rules, this error number is not handled, causing
> > IMA to think the LSM rule is also a match, leading to measuring extra
> > files.

...

> > Is this the intended behavior? Or is it a good idea to add a lock for
> > LSM rules during update?

I'm not the IMA expert here, but a lot of effort has been into the
SELinux code to enable lockless/RCU SELinux policy access and I
*really* don't want to have to backtrack on that.

-- 
paul-moore.com



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux