On Thu, Jan 5, 2023 at 8:24 PM GUO Zihua <guozihua@xxxxxxxxxx> wrote: > > Backports the following three patches to fix the issue of IMA mishandling > LSM based rule during LSM policy update, causing a file to match an > unexpected rule. > > v7: > Fixed the target for free in ima_lsm_copy_rule(). > > v6: > Removed the redundent i in ima_free_rule(). > > v5: > goes back to ima_lsm_free_rule() instead to avoid freeing > rule->fsname. > > v4: > Make use of the exisiting ima_free_rule() instead of backported > ima_lsm_free_rule(). Which resolves additional memory leak issues. > > v3: > Backport "LSM: switch to blocking policy update notifiers" as well, as > the prerequsite of "ima: use the lsm policy update notifier". > > v2: > Re-adjust the bacported logic. > > GUO Zihua (1): > ima: Handle -ESTALE returned by ima_filter_rule_match() > > Janne Karhunen (2): > LSM: switch to blocking policy update notifiers > ima: use the lsm policy update notifier I'll defer to Mimi for the IMA bits, but the LSM and SELinux related bits looks fine to me and appear to be faithful backports of patches already in Linus' tree. > drivers/infiniband/core/device.c | 4 +- > include/linux/security.h | 12 +-- > security/integrity/ima/ima.h | 2 + > security/integrity/ima/ima_main.c | 8 ++ > security/integrity/ima/ima_policy.c | 151 ++++++++++++++++++++++------ > security/security.c | 23 +++-- > security/selinux/hooks.c | 2 +- > security/selinux/selinuxfs.c | 2 +- > 8 files changed, 155 insertions(+), 49 deletions(-) > > -- > 2.17.1 -- paul-moore.com