[PATCH v24 04/25] IMA: avoid label collisions with stacked LSMs

Mimi Zohar zohar at linux.ibm.com
Tue Feb 23 00:27:07 UTC 2021


On Mon, 2021-02-22 at 15:45 -0800, Casey Schaufler wrote:
> On 2/14/2021 10:21 AM, Mimi Zohar wrote:
> 
> Would these changes match your suggestion?
> 
>  security/integrity/ima/ima_policy.c | 24 ++++++++++++------------
>  1 file changed, 12 insertions(+), 12 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 9ac673472781..e80956548243 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -78,11 +78,11 @@ struct ima_rule_entry {
>  	bool (*uid_op)(kuid_t, kuid_t);    /* Handlers for operators       */
>  	bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */
>  	int pcr;
> +	int which_lsm; /* which of the rules to use */
>  	struct {
>  		void *rules[LSMBLOB_ENTRIES]; /* LSM file metadata specific */

If each IMA policy rule may only contain a single LSM specific
LSM_OBJ_{USER | ROLE | TYPE} and LSM_SUBJ_{USER | ROLE | TYPE}, then
there is no need for rules[LSMBLOB_ENTRIES].  Leave it as "*rule".

Otherwise it looks good.

Mimi

>  		char *args_p;	/* audit value */
>  		int type;	/* audit type */
> -		int which_lsm; /* which of the rules to use */
>  	} lsm[MAX_LSM_RULES];
>  	char *fsname;
>  	struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */



More information about the Linux-security-module-archive mailing list