| Message ID | 20221227014633.4449-1-guozihua@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ima: Handle error code from security_audit_rule_match | expand |
On Tue, 2022-12-27 at 09:46 +0800, GUO Zihua wrote: > commit c7423dbdbc9e ("ima: Handle -ESTALE returned by > ima_filter_rule_match()") introduced the handling of -ESTALE returned by > security_audit_rule_match(). However, security_audit_rule_match() might > return other error codes if some error occurred. We should handle those > error codes as well. > > Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") > Signed-off-by: GUO Zihua <guozihua@huawei.com> > --- > security/integrity/ima/ima_policy.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index 6a68ec270822..5561e1b2c376 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -663,7 +663,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, > break; > } > > - if (rc == -ESTALE && !rule_reinitialized) { > + if (rc < 0 && !rule_reinitialized) { Which other error codes are resolved by retrying? > lsm_rule = ima_lsm_copy_rule(rule); > if (lsm_rule) { > rule_reinitialized = true;
On 2022/12/27 19:22, Mimi Zohar wrote: > On Tue, 2022-12-27 at 09:46 +0800, GUO Zihua wrote: >> commit c7423dbdbc9e ("ima: Handle -ESTALE returned by >> ima_filter_rule_match()") introduced the handling of -ESTALE returned by >> security_audit_rule_match(). However, security_audit_rule_match() might >> return other error codes if some error occurred. We should handle those >> error codes as well. >> >> Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") >> Signed-off-by: GUO Zihua <guozihua@huawei.com> >> --- >> security/integrity/ima/ima_policy.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c >> index 6a68ec270822..5561e1b2c376 100644 >> --- a/security/integrity/ima/ima_policy.c >> +++ b/security/integrity/ima/ima_policy.c >> @@ -663,7 +663,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, >> break; >> } >> >> - if (rc == -ESTALE && !rule_reinitialized) { >> + if (rc < 0 && !rule_reinitialized) { > > Which other error codes are resolved by retrying? Well I re-checked security_audit_rule_match() and it seems that only -ESTALE can be handled. This patch could be ignored. > >> lsm_rule = ima_lsm_copy_rule(rule); >> if (lsm_rule) { >> rule_reinitialized = true; >
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 6a68ec270822..5561e1b2c376 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -663,7 +663,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, break; } - if (rc == -ESTALE && !rule_reinitialized) { + if (rc < 0 && !rule_reinitialized) { lsm_rule = ima_lsm_copy_rule(rule); if (lsm_rule) { rule_reinitialized = true;
commit c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") introduced the handling of -ESTALE returned by security_audit_rule_match(). However, security_audit_rule_match() might return other error codes if some error occurred. We should handle those error codes as well. Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") Signed-off-by: GUO Zihua <guozihua@huawei.com> --- security/integrity/ima/ima_policy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)