[PATCH v4] ima: ima/lsm policy rule loading logic bug fixes
Mimi Zohar
zohar at linux.ibm.com
Wed Jan 15 18:36:21 UTC 2020
On Wed, 2020-01-15 at 17:42 +0200, Janne Karhunen wrote:
> Keep the ima policy rules around from the beginning even if they appear
> invalid at the time of loading, as they may become active after an lsm
> policy load. However, loading a custom IMA policy with unknown LSM
> labels is only safe after we have transitioned from the "built-in"
> policy rules to a custom IMA policy.
>
> Patch also fixes the rule re-use during the lsm policy reload and makes
> some prints a bit more human readable.
>
> Changelog:
> v4:
> - Do not allow the initial policy load refer to non-existing lsm rules.
> v3:
> - Fix too wide policy rule matching for non-initialized LSMs
> v2:
> - Fix log prints
>
> Fixes: b16942455193 ("ima: use the lsm policy update notifier")
> Cc: Casey Schaufler <casey at schaufler-ca.com>
> Reported-by: Mimi Zohar <zohar at linux.ibm.com>
> Reviewed-by: Mimi Zohar <zohar at linux.ibm.com>
> Signed-off-by: Janne Karhunen <janne.karhunen at gmail.com>
> Signed-off-by: Konsta Karsisto <konsta.karsisto at gmail.com>
Thanks, the updated patch is now queued in next-integrity-testing.
Mimi
More information about the Linux-security-module-archive
mailing list