Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-12-26 12:52:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
c7423dbdbc
linux/security
History
GUO Zihua c7423dbdbc ima: Handle -ESTALE returned by ima_filter_rule_match() 
IMA relies on the blocking LSM policy notifier callback to update the
LSM based IMA policy rules.

When SELinux update its policies, IMA would be notified and starts
updating all its lsm rules one-by-one. During this time, -ESTALE would
be returned by ima_filter_rule_match() if it is called with a LSM rule
that has not yet been updated. In ima_match_rules(), -ESTALE is not
handled, and the LSM rule is considered a match, causing extra files
to be measured by IMA.

Fix it by re-initializing a temporary rule if -ESTALE is returned by
ima_filter_rule_match(). The origin rule in the rule list would be
updated by the LSM policy notifier callback.

Fixes: b169424551 ("ima: use the lsm policy update notifier")
Signed-off-by: GUO Zihua <guozihua@huawei.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2022-11-02 18:51:03 -04:00
..
apparmor ->getprocattr(): attribute name is const char *, TYVM... 2022-09-01 17:34:39 -04:00
bpf
integrity ima: Handle -ESTALE returned by ima_filter_rule_match() 2022-11-02 18:51:03 -04:00
keys KEYS: encrypted: fix key instantiation with user-provided data 2022-10-19 13:01:23 -04:00
landlock landlock: Fix documentation style 2022-09-29 18:43:04 +02:00
loadpin LoadPin: Require file with verity root digests to have a header 2022-09-07 16:37:27 -07:00
lockdown lockdown: ratelimit denial messages 2022-09-14 07:37:50 -04:00
safesetid LSM: SafeSetID: Add setgroups() security policy handling 2022-07-15 18:24:42 +00:00
selinux whack-a-mole: constifying struct path * 2022-10-06 17:31:02 -07:00
smack whack-a-mole: constifying struct path * 2022-10-06 17:31:02 -07:00
tomoyo tomoyo: struct path it might get from LSM callers won't have NULL dentry or mnt 2022-08-21 11:50:42 -04:00
yama
commoncap.c
device_cgroup.c bpf: Make BPF_PROG_RUN_ARRAY return -err instead of allow boolean 2022-01-19 12:51:30 -08:00
inode.c
Kconfig x86/retbleed: Add fine grained Kconfig knobs 2022-06-29 17:43:41 +02:00
Kconfig.hardening - Yu Zhao's Multi-Gen LRU patches are here. They've been under test in 2022-10-10 17:53:04 -07:00
lsm_audit.c lsm: clean up redundant NULL pointer check 2022-08-15 22:44:01 -04:00
Makefile
min_addr.c
security.c powerpc updates for 6.1 2022-10-09 14:05:15 -07:00