[PATCH 4.19 v2 0/5] Backport handling -ESTALE policy update failure to 4.19

Mimi Zohar zohar at linux.ibm.com
Wed Feb 22 15:24:39 UTC 2023


Hi Scott,

On Thu, 2023-02-16 at 20:42 +0800, GUO Zihua wrote:
> This series backports patches in order to resolve the issue discussed here:
> https://lore.kernel.org/selinux/389334fe-6e12-96b2-6ce9-9f0e8fcb85bf@huawei.com/
> 
> This required backporting the non-blocking LSM policy update mechanism
> prerequisite patches. As well as bugfixes that follows.

For ease of reading, the above sentence should end with a colon and be
followed with the list of commits.
> 
> 66f67414c1f ("IB/core: Don't register each MAD agent for LSM notifier")
> is merged as the prerequisite of 42df744c4166 ("LSM: switch to blocking
> policy update notifiers"). 

> e144d6b26541 ("ima: Evaluate error in
> init_ima()") is merged as a follow up bugfix for b16942455193 ("ima:
> use the lsm policy update notifier").

> 483ec26eed42 ("ima: ima/lsm policy
> rule loading logic bug fixes") and 9ff8a616dfab ("ima: Have the LSM free
> its audit rule") is also followup bugfixes. The former would change the
> behavior of rule loading without fixing any criticial bug so I don't
> think it's necessary, while the latter has already been merged.

Prior to the non-blocking LSM notifier was upstreamed, a custom IMA
policy with LSM  based policy rules could not be loaded until the LSM
policy had been initialized.  Commit 483ec26eed42 ("ima: ima/lsm policy
rule loading logic bug fixes") reverts the unintended change in
behavior.

> 
> I've tested the patches against said issue and can confirm that the
> issue is fixed.
> 
> This is a re-send of the original patchset as the original patchset
> might have a faulty cover letter. The original patchset could be found
> here:
> https://patchwork.kernel.org/project/linux-integrity/list/?series=709367

In addition to a "faulty cover letter", included in this version
additional patches are being backported.

Probably better to drop this comment or to include a "Link:" to the
mailing list discussion, as described in
Documentation/process/submitting-patches.

> 
> Change log:
>   v2: Fixed build issue and backport bugfix commits for backported
> patches.
> 
> Daniel Jurgens (1):
>   IB/core: Don't register each MAD agent for LSM notifier
> 
> GUO Zihua (1):
>   ima: Handle -ESTALE returned by ima_filter_rule_match()
> 
> Janne Karhunen (2):
>   LSM: switch to blocking policy update notifiers
>   ima: use the lsm policy update notifier
> 
> Roberto Sassu (1):
>   ima: Evaluate error in init_ima()
> 
>  drivers/infiniband/core/core_priv.h |   5 +
>  drivers/infiniband/core/device.c    |   5 +-
>  drivers/infiniband/core/security.c  |  51 +++++-----
>  include/linux/security.h            |  12 +--
>  include/rdma/ib_mad.h               |   3 +-
>  security/integrity/ima/ima.h        |   2 +
>  security/integrity/ima/ima_main.c   |  11 ++
>  security/integrity/ima/ima_policy.c | 151 ++++++++++++++++++++++------
>  security/security.c                 |  23 +++--
>  security/selinux/hooks.c            |   2 +-
>  security/selinux/selinuxfs.c        |   2 +-
>  11 files changed, 193 insertions(+), 74 deletions(-)
> 
-- 
thanks,

Mimi



More information about the Linux-security-module-archive mailing list