[PATCH 2/2] ipe: also reject policy updates with the same version
Serge E. Hallyn
serge at hallyn.com
Sun Sep 22 15:42:36 UTC 2024
On Sun, Sep 22, 2024 at 03:56:14PM +0200, luca.boccassi at gmail.com wrote:
> From: Luca Boccassi <bluca at debian.org>
>
> Currently IPE accepts an update that has the same version as the policy
> being updated, but it doesn't make it a no-op nor it checks that the
> old and new policyes are the same. So it is possible to change the
> content of a policy, without changing its version. This is very
> confusing from userspace when managing policies.
> Instead change the update logic to reject updates that have the same
> version with ESTALE, as that is much clearer and intuitive behaviour.
>
> Signed-off-by: Luca Boccassi <bluca at debian.org>
Makes sense.
Reviewed-by: Serge Hallyn <serge at hallyn.com>
for both, thanks.
-serge
> ---
> security/ipe/policy.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/ipe/policy.c b/security/ipe/policy.c
> index 5de64441dfe7..01da3a377e7f 100644
> --- a/security/ipe/policy.c
> +++ b/security/ipe/policy.c
> @@ -115,7 +115,7 @@ int ipe_update_policy(struct inode *root, const char *text, size_t textlen,
> goto err;
> }
>
> - if (ver_to_u64(old) > ver_to_u64(new)) {
> + if (ver_to_u64(old) >= ver_to_u64(new)) {
> rc = -ESTALE;
> goto err;
> }
> --
> 2.39.5
>
More information about the Linux-security-module-archive
mailing list