Re: [PATCH v7 0/3] ima: Fix IMA mishandling of LSM based rule during

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jan 5, 2023 at 8:24 PM GUO Zihua <guozihua@xxxxxxxxxx> wrote:
>
> Backports the following three patches to fix the issue of IMA mishandling
> LSM based rule during LSM policy update, causing a file to match an
> unexpected rule.
>
> v7:
>   Fixed the target for free in ima_lsm_copy_rule().
>
> v6:
>   Removed the redundent i in ima_free_rule().
>
> v5:
>   goes back to ima_lsm_free_rule() instead to avoid freeing
> rule->fsname.
>
> v4:
>   Make use of the exisiting ima_free_rule() instead of backported
> ima_lsm_free_rule(). Which resolves additional memory leak issues.
>
> v3:
>   Backport "LSM: switch to blocking policy update notifiers" as well, as
> the prerequsite of "ima: use the lsm policy update notifier".
>
> v2:
>   Re-adjust the bacported logic.
>
> GUO Zihua (1):
>   ima: Handle -ESTALE returned by ima_filter_rule_match()
>
> Janne Karhunen (2):
>   LSM: switch to blocking policy update notifiers
>   ima: use the lsm policy update notifier

I'll defer to Mimi for the IMA bits, but the LSM and SELinux related
bits looks fine to me and appear to be faithful backports of patches
already in Linus' tree.

>  drivers/infiniband/core/device.c    |   4 +-
>  include/linux/security.h            |  12 +--
>  security/integrity/ima/ima.h        |   2 +
>  security/integrity/ima/ima_main.c   |   8 ++
>  security/integrity/ima/ima_policy.c | 151 ++++++++++++++++++++++------
>  security/security.c                 |  23 +++--
>  security/selinux/hooks.c            |   2 +-
>  security/selinux/selinuxfs.c        |   2 +-
>  8 files changed, 155 insertions(+), 49 deletions(-)
>
> --
> 2.17.1

-- 
paul-moore.com



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux