[PATCH v3 1/2] ipe: return -ESTALE instead of -EINVAL on update when new policy has a lower version

luca.boccassi at gmail.com luca.boccassi at gmail.com
Wed Sep 25 21:01:33 UTC 2024


From: Luca Boccassi <bluca at debian.org>

When loading policies in userspace we want a recognizable error when an
update attempts to use an old policy, as that is an error that needs
to be treated differently from an invalid policy. Use -ESTALE as it is
clear enough for an update mechanism.

Signed-off-by: Luca Boccassi <bluca at debian.org>
Reviewed-by: Serge Hallyn <serge at hallyn.com>
Acked-by: Fan Wu <wufan at linux.microsoft.com>
---
 security/ipe/policy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/ipe/policy.c b/security/ipe/policy.c
index bf5aa97911e1..3a0069c6d5af 100644
--- a/security/ipe/policy.c
+++ b/security/ipe/policy.c
@@ -107,7 +107,7 @@ int ipe_update_policy(struct inode *root, const char *text, size_t textlen,
 	}
 
 	if (ver_to_u64(old) > ver_to_u64(new)) {
-		rc = -EINVAL;
+		rc = -ESTALE;
 		goto err;
 	}
 
-- 
2.39.5




More information about the Linux-security-module-archive mailing list