On Tue, 2023-01-03 at 10:20 +0800, GUO Zihua wrote:
> From: Janne Karhunen <janne.karhunen@xxxxxxxxx>
>
> [ Upstream commit b169424551930a9325f700f502802f4d515194e5 ]
>
> This patch is backported to resolve the issue of IMA ignoreing LSM part of
> an LSM based rule. As the LSM notifier chain was an atomic notifier
> chain, we'll not be able to call synchronize_rcu() within our notifier
> handling function. Instead, we call the call_rcu() function to resolve
> the freeing issue. To do that, we would needs to include a rcu_head
> member in our rule, as well as wrap the call to ima_lsm_free_rule() into
> a rcu_callback_t type callback function.
>
> Original patch message is as follows:
>
> commit b169424551930a9325f700f502802f4d515194e5
> Author: Janne Karhunen <janne.karhunen@xxxxxxxxx>
> Date: Fri Jun 14 15:20:15 2019 +0300
>
> Don't do lazy policy updates while running the rule matching,
> run the updates as they happen.
>
> Depends on commit f242064c5df3 ("LSM: switch to blocking policy update
> notifiers")
>
> Signed-off-by: Janne Karhunen <janne.karhunen@xxxxxxxxx>
> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
>
> Cc: stable@xxxxxxxxxxxxxxx #4.19.y
> Signed-off-by: GUO Zihua <guozihua@xxxxxxxxxx>
There was quite a bit of discussion regarding converting the atomic
notifier to blocking, but this backport doesn't make that change.
Refer to
https://lore.kernel.org/linux-integrity/CAHC9VhS=GsEVUmxtiV64o8G6i2nJpkzxzpyTADgN-vhV8pzZbg@xxxxxxxxxxxxxx/
Mimi
