On Mon, 2023-01-09 at 21:51 -0500, Paul Moore wrote: > On Thu, Jan 5, 2023 at 8:24 PM GUO Zihua <guozihua@xxxxxxxxxx> wrote: > > > > Backports the following three patches to fix the issue of IMA mishandling > > LSM based rule during LSM policy update, causing a file to match an > > unexpected rule. > > > > v7: > > Fixed the target for free in ima_lsm_copy_rule(). > > > > v6: > > Removed the redundent i in ima_free_rule(). > > > > v5: > > goes back to ima_lsm_free_rule() instead to avoid freeing > > rule->fsname. > > > > v4: > > Make use of the exisiting ima_free_rule() instead of backported > > ima_lsm_free_rule(). Which resolves additional memory leak issues. > > > > v3: > > Backport "LSM: switch to blocking policy update notifiers" as well, as > > the prerequsite of "ima: use the lsm policy update notifier". > > > > v2: > > Re-adjust the bacported logic. > > > > GUO Zihua (1): > > ima: Handle -ESTALE returned by ima_filter_rule_match() > > > > Janne Karhunen (2): > > LSM: switch to blocking policy update notifiers > > ima: use the lsm policy update notifier > > I'll defer to Mimi for the IMA bits, but the LSM and SELinux related > bits looks fine to me and appear to be faithful backports of patches > already in Linus' tree. Thanks, Paul, for reviewing and confirming that it looks fine. Mimi > > > drivers/infiniband/core/device.c | 4 +- > > include/linux/security.h | 12 +-- > > security/integrity/ima/ima.h | 2 + > > security/integrity/ima/ima_main.c | 8 ++ > > security/integrity/ima/ima_policy.c | 151 ++++++++++++++++++++++------ > > security/security.c | 23 +++-- > > security/selinux/hooks.c | 2 +- > > security/selinux/selinuxfs.c | 2 +- > > 8 files changed, 155 insertions(+), 49 deletions(-) > > > > -- > > 2.17.1 >
