On 2023/1/4 2:50, Mimi Zohar wrote:
> On Tue, 2023-01-03 at 10:20 +0800, GUO Zihua wrote:
>> From: Janne Karhunen <janne.karhunen@xxxxxxxxx>
>>
>> [ Upstream commit b169424551930a9325f700f502802f4d515194e5 ]
>>
>> This patch is backported to resolve the issue of IMA ignoreing LSM part of
>> an LSM based rule. As the LSM notifier chain was an atomic notifier
>> chain, we'll not be able to call synchronize_rcu() within our notifier
>> handling function. Instead, we call the call_rcu() function to resolve
>> the freeing issue. To do that, we would needs to include a rcu_head
>> member in our rule, as well as wrap the call to ima_lsm_free_rule() into
>> a rcu_callback_t type callback function.
>>
>> Original patch message is as follows:
>>
>> commit b169424551930a9325f700f502802f4d515194e5
>> Author: Janne Karhunen <janne.karhunen@xxxxxxxxx>
>> Date: Fri Jun 14 15:20:15 2019 +0300
>>
>> Don't do lazy policy updates while running the rule matching,
>> run the updates as they happen.
>>
>> Depends on commit f242064c5df3 ("LSM: switch to blocking policy update
>> notifiers")
>>
>> Signed-off-by: Janne Karhunen <janne.karhunen@xxxxxxxxx>
>> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
>>
>> Cc: stable@xxxxxxxxxxxxxxx #4.19.y
>> Signed-off-by: GUO Zihua <guozihua@xxxxxxxxxx>
>
> There was quite a bit of discussion regarding converting the atomic
> notifier to blocking, but this backport doesn't make that change.
>
> Refer to
> https://lore.kernel.org/linux-integrity/CAHC9VhS=GsEVUmxtiV64o8G6i2nJpkzxzpyTADgN-vhV8pzZbg@xxxxxxxxxxxxxx/
Well it seems that the bug mentioned here is still valid on 4.19.y.
Which is worrying. I'll try backporting the blocking notifier change as
well.
>
> Mimi
>
--
Best
GUO Zihua
