[PATCH 1/2] ipe: return -ESTALE instead of -EINVAL on update when new policy has a lower version
luca.boccassi at gmail.com
luca.boccassi at gmail.com
Sun Sep 22 13:56:13 UTC 2024
From: Luca Boccassi <bluca at debian.org>
When loading policies in userspace we want a recognizable error when an
update attempts to use an old policy, as that is an error that needs
to be treated differently from an invalid policy. Use -ESTALE as it is
clear enough for an update mechanism.
Signed-off-by: Luca Boccassi <bluca at debian.org>
---
Found while adding policy loading to systemd, like we do for IMA/SELinux
https://github.com/systemd/systemd/pull/34418
security/ipe/policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/ipe/policy.c b/security/ipe/policy.c
index 67a051620889..5de64441dfe7 100644
--- a/security/ipe/policy.c
+++ b/security/ipe/policy.c
@@ -116,7 +116,7 @@ int ipe_update_policy(struct inode *root, const char *text, size_t textlen,
}
if (ver_to_u64(old) > ver_to_u64(new)) {
- rc = -EINVAL;
+ rc = -ESTALE;
goto err;
}
--
2.39.5
More information about the Linux-security-module-archive
mailing list