[PATCH 4.19 v2 0/5] Backport handling -ESTALE policy update failure to 4.19
Guozihua (Scott)
guozihua at huawei.com
Thu Feb 23 01:31:42 UTC 2023
On 2023/2/22 23:24, Mimi Zohar wrote:
> Hi Scott,
>
> On Thu, 2023-02-16 at 20:42 +0800, GUO Zihua wrote:
>> This series backports patches in order to resolve the issue discussed here:
>> https://lore.kernel.org/selinux/389334fe-6e12-96b2-6ce9-9f0e8fcb85bf@huawei.com/
>>
>> This required backporting the non-blocking LSM policy update mechanism
>> prerequisite patches. As well as bugfixes that follows.
>
> For ease of reading, the above sentence should end with a colon and be
> followed with the list of commits.
Sure thing. Will make the change.
>>
>> 66f67414c1f ("IB/core: Don't register each MAD agent for LSM notifier")
>> is merged as the prerequisite of 42df744c4166 ("LSM: switch to blocking
>> policy update notifiers").
>
>> e144d6b26541 ("ima: Evaluate error in
>> init_ima()") is merged as a follow up bugfix for b16942455193 ("ima:
>> use the lsm policy update notifier").
>
>> 483ec26eed42 ("ima: ima/lsm policy
>> rule loading logic bug fixes") and 9ff8a616dfab ("ima: Have the LSM free
>> its audit rule") is also followup bugfixes. The former would change the
>> behavior of rule loading without fixing any criticial bug so I don't
>> think it's necessary, while the latter has already been merged.
>
> Prior to the non-blocking LSM notifier was upstreamed, a custom IMA
> policy with LSM based policy rules could not be loaded until the LSM
> policy had been initialized. Commit 483ec26eed42 ("ima: ima/lsm policy
> rule loading logic bug fixes") reverts the unintended change in
> behavior.
Right. I thought that commit was an "feature addition" rather than a
fix. I'll include that in the backport.
>
>>
>> I've tested the patches against said issue and can confirm that the
>> issue is fixed.
>>
>> This is a re-send of the original patchset as the original patchset
>> might have a faulty cover letter. The original patchset could be found
>> here:
>> https://patchwork.kernel.org/project/linux-integrity/list/?series=709367
>
> In addition to a "faulty cover letter", included in this version
> additional patches are being backported.
>
> Probably better to drop this comment or to include a "Link:" to the
> mailing list discussion, as described in
> Documentation/process/submitting-patches.
Got it.
>
>>
>> Change log:
>> v2: Fixed build issue and backport bugfix commits for backported
>> patches.
>>
>> Daniel Jurgens (1):
>> IB/core: Don't register each MAD agent for LSM notifier
>>
>> GUO Zihua (1):
>> ima: Handle -ESTALE returned by ima_filter_rule_match()
>>
>> Janne Karhunen (2):
>> LSM: switch to blocking policy update notifiers
>> ima: use the lsm policy update notifier
>>
>> Roberto Sassu (1):
>> ima: Evaluate error in init_ima()
>>
>> drivers/infiniband/core/core_priv.h | 5 +
>> drivers/infiniband/core/device.c | 5 +-
>> drivers/infiniband/core/security.c | 51 +++++-----
>> include/linux/security.h | 12 +--
>> include/rdma/ib_mad.h | 3 +-
>> security/integrity/ima/ima.h | 2 +
>> security/integrity/ima/ima_main.c | 11 ++
>> security/integrity/ima/ima_policy.c | 151 ++++++++++++++++++++++------
>> security/security.c | 23 +++--
>> security/selinux/hooks.c | 2 +-
>> security/selinux/selinuxfs.c | 2 +-
>> 11 files changed, 193 insertions(+), 74 deletions(-)
>>
--
Best
GUO Zihua
More information about the Linux-security-module-archive
mailing list