[PATCH v4 2/2] ima: Handle -ESTALE returned by ima_filter_rule_match()
Mimi Zohar
zohar at linux.ibm.com
Mon Sep 19 21:35:05 UTC 2022
Hi Scott,
> @@ -612,6 +614,8 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
> else
> return false;
> }
> +
> +retry:
> switch (i) {
> case LSM_OBJ_USER:
> case LSM_OBJ_ROLE:
> @@ -631,10 +635,28 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
> default:
> break;
> }
> - if (!rc)
> - return false;
> +
> + if (rc == -ESTALE) {
> + rule = ima_lsm_copy_rule(rule);
Re-using rule here
> + if (rule) {
and here doesn't look right.
> + rule_reinitialized = true;
> + goto retry;
> + }
> + }
> + if (!rc) {
> + result = false;
> + goto out;
> + }
> }
> - return true;
> + result = true;
> +
> +out:
> + if (rule_reinitialized) {
> + for (i = 0; i < MAX_LSM_RULES; i++)
> + ima_filter_rule_free(rule->lsm[i].rule);
> + kfree(rule);
> + }
Shouldn't freeing the memory be immediately after the retry?
Otherwise, only the last instance of processing -ESTALE would be freed.
> + return result;
> }
>
> /*
--
thanks,
Mimi
More information about the Linux-security-module-archive
mailing list