[PATCH v9 02/23] ima: Do not print policy rule with inactive LSM labels
Christian Brauner
brauner at kernel.org
Wed Jan 26 08:38:14 UTC 2022
On Tue, Jan 25, 2022 at 05:46:24PM -0500, Stefan Berger wrote:
> From: Stefan Berger <stefanb at linux.ibm.com>
>
> Before printing a policy rule scan for inactive LSM labels in the policy
> rule. Inactive LSM labels are identified by args_p != NULL and
> rule == NULL.
>
> Fixes: b16942455193 ("ima: use the lsm policy update notifier")
That commit message of the referenced patch reads:
"Don't do lazy policy updates while running the rule matching, run the
updates as they happen."
and given that we had a lengthy discussion how to update the rules I'd
really would have liked an explanation why the update needs to run
immediately. Not doing it lazily is the whole reason we have this
notifier infra. Why can't this be done lazily?
More information about the Linux-security-module-archive
mailing list