ima: property parameter unused in ima_match_rules()

Roberto Sassu roberto.sassu at huaweicloud.com
Tue Nov 26 07:49:59 UTC 2024 

On Mon, 2024-11-25 at 10:23 -0800, Casey Schaufler wrote:
> On 11/25/2024 3:38 AM, Christian Göttsche wrote:
> > Hi,
> > 
> > I noticed that the `prop` parameter of `ima_match_rules()` is
> > currently unused (due to shadowing).
> > Is that by design or a mishap of the recent rework?
> > 
> > Related commits:
> > 
> > 37f670a ("lsm: use lsm_prop in security_current_getsecid")
> > 870b7fd ("lsm: use lsm_prop in security_audit_rule_match")
> > 07f9d2c ("lsm: use lsm_prop in security_inode_getsecid")
> 
> The shadowing was inadvertent. The use of lsm_prop data is
> corrected by this patch.

Thanks Casey. Yes, this is what I had in mind.

Roberto

> ---
>  security/integrity/ima/ima_policy.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index dbfd554b4624..21a8e54c383f 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -635,7 +635,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
>  		return false;
>  	for (i = 0; i < MAX_LSM_RULES; i++) {
>  		int rc = 0;
> -		struct lsm_prop prop = { };
> +		struct lsm_prop inode_prop = { };
>  
>  		if (!lsm_rule->lsm[i].rule) {
>  			if (!lsm_rule->lsm[i].args_p)
> @@ -649,15 +649,16 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
>  		case LSM_OBJ_USER:
>  		case LSM_OBJ_ROLE:
>  		case LSM_OBJ_TYPE:
> -			security_inode_getlsmprop(inode, &prop);
> -			rc = ima_filter_rule_match(&prop, lsm_rule->lsm[i].type,
> +			security_inode_getlsmprop(inode, &inode_prop);
> +			rc = ima_filter_rule_match(&inode_prop,
> +						   lsm_rule->lsm[i].type,
>  						   Audit_equal,
>  						   lsm_rule->lsm[i].rule);
>  			break;
>  		case LSM_SUBJ_USER:
>  		case LSM_SUBJ_ROLE:
>  		case LSM_SUBJ_TYPE:
> -			rc = ima_filter_rule_match(&prop, lsm_rule->lsm[i].type,
> +			rc = ima_filter_rule_match(prop, lsm_rule->lsm[i].type,
>  						   Audit_equal,
>  						   lsm_rule->lsm[i].rule);
>  			break;
>

More information about the Linux-security-module-archive mailing list