On Mon, 2023-01-09 at 21:51 -0500, Paul Moore wrote:
On Thu, Jan 5, 2023 at 8:24 PM GUO Zihua guozihua@huawei.com wrote:
Backports the following three patches to fix the issue of IMA mishandling LSM based rule during LSM policy update, causing a file to match an unexpected rule.
v7: Fixed the target for free in ima_lsm_copy_rule().
v6: Removed the redundent i in ima_free_rule().
v5: goes back to ima_lsm_free_rule() instead to avoid freeing rule->fsname.
v4: Make use of the exisiting ima_free_rule() instead of backported ima_lsm_free_rule(). Which resolves additional memory leak issues.
v3: Backport "LSM: switch to blocking policy update notifiers" as well, as the prerequsite of "ima: use the lsm policy update notifier".
v2: Re-adjust the bacported logic.
GUO Zihua (1): ima: Handle -ESTALE returned by ima_filter_rule_match()
Janne Karhunen (2): LSM: switch to blocking policy update notifiers ima: use the lsm policy update notifier
I'll defer to Mimi for the IMA bits, but the LSM and SELinux related bits looks fine to me and appear to be faithful backports of patches already in Linus' tree.
Thanks, Paul, for reviewing and confirming that it looks fine.
Mimi
drivers/infiniband/core/device.c | 4 +- include/linux/security.h | 12 +-- security/integrity/ima/ima.h | 2 + security/integrity/ima/ima_main.c | 8 ++ security/integrity/ima/ima_policy.c | 151 ++++++++++++++++++++++------ security/security.c | 23 +++-- security/selinux/hooks.c | 2 +- security/selinux/selinuxfs.c | 2 +- 8 files changed, 155 insertions(+), 49 deletions(-)
-- 2.17.1