[PATCH v2 1/2] ipe: return -ESTALE instead of -EINVAL on update when new policy has a lower version

[Fan Wu]

On 9/25/2024 1:42 PM, luca.boccassi at gmail.com wrote:
> From: Luca Boccassi <bluca at debian.org>
> 
> When loading policies in userspace we want a recognizable error when an
> update attempts to use an old policy, as that is an error that needs
> to be treated differently from an invalid policy. Use -ESTALE as it is
> clear enough for an update mechanism.
> 
> Signed-off-by: Luca Boccassi <bluca at debian.org>
> Reviewed-by: Serge Hallyn <serge at hallyn.com>
> ---
>   security/ipe/policy.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/security/ipe/policy.c b/security/ipe/policy.c
> index bf5aa97911e1..3a0069c6d5af 100644
> --- a/security/ipe/policy.c
> +++ b/security/ipe/policy.c
> @@ -107,7 +107,7 @@ int ipe_update_policy(struct inode *root, const char *text, size_t textlen,
>   	}
>   
>   	if (ver_to_u64(old) > ver_to_u64(new)) {
> -		rc = -EINVAL;
> +		rc = -ESTALE;
>   		goto err;
>   	}
>

Acked-by: Fan Wu <wufan at linux.microsoft.com>

I'm still in the process of applying kernel.org account, once I get 
everything setup I will include this in my tree.

If that process take too long time I may ask Paul to merge this from the 
lsm tree in next merge window.

-Fan