[PATCH v9 11/23] ima: Move ima_lsm_policy_notifier into ima_namespace
Christian Brauner
brauner at kernel.org
Wed Jan 26 13:05:32 UTC 2022
On Tue, Jan 25, 2022 at 05:46:33PM -0500, Stefan Berger wrote:
> From: Stefan Berger <stefanb at linux.ibm.com>
>
> Move the ima_lsm_policy_notifier into the ima_namespace. Each IMA
> namespace can now register its own LSM policy change notifier callback.
> The policy change notifier for the init_ima_ns still remains in init_ima()
> and therefore handle the registration of the callback for all other
> namespaces in init_ima_namespace().
>
> Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
> ---
I'd double-check that this cannot be used to cause rcu stalls when a lot
of ima namespace with a lot of rules are used leading to a dos situation
during LSM policy update. The good thing at least is that an LSM policy
update can only be triggered for selinux for the whole system.
More information about the Linux-security-module-archive
mailing list