mbox series

[v7,0/3] ima: Fix IMA mishandling of LSM based rule during

Message ID 20230106012106.21559-1-guozihua@huawei.com (mailing list archive)
Headers show
Series ima: Fix IMA mishandling of LSM based rule during | expand

Message

Guozihua (Scott) Jan. 6, 2023, 1:21 a.m. UTC
Backports the following three patches to fix the issue of IMA mishandling
LSM based rule during LSM policy update, causing a file to match an
unexpected rule.

v7:
  Fixed the target for free in ima_lsm_copy_rule().

v6:
  Removed the redundent i in ima_free_rule().

v5:
  goes back to ima_lsm_free_rule() instead to avoid freeing
rule->fsname.

v4:
  Make use of the exisiting ima_free_rule() instead of backported
ima_lsm_free_rule(). Which resolves additional memory leak issues.

v3:
  Backport "LSM: switch to blocking policy update notifiers" as well, as
the prerequsite of "ima: use the lsm policy update notifier".

v2:
  Re-adjust the bacported logic.

GUO Zihua (1):
  ima: Handle -ESTALE returned by ima_filter_rule_match()

Janne Karhunen (2):
  LSM: switch to blocking policy update notifiers
  ima: use the lsm policy update notifier

 drivers/infiniband/core/device.c    |   4 +-
 include/linux/security.h            |  12 +--
 security/integrity/ima/ima.h        |   2 +
 security/integrity/ima/ima_main.c   |   8 ++
 security/integrity/ima/ima_policy.c | 151 ++++++++++++++++++++++------
 security/security.c                 |  23 +++--
 security/selinux/hooks.c            |   2 +-
 security/selinux/selinuxfs.c        |   2 +-
 8 files changed, 155 insertions(+), 49 deletions(-)

Comments

Paul Moore Jan. 10, 2023, 2:51 a.m. UTC | #1
On Thu, Jan 5, 2023 at 8:24 PM GUO Zihua <guozihua@huawei.com> wrote:
>
> Backports the following three patches to fix the issue of IMA mishandling
> LSM based rule during LSM policy update, causing a file to match an
> unexpected rule.
>
> v7:
>   Fixed the target for free in ima_lsm_copy_rule().
>
> v6:
>   Removed the redundent i in ima_free_rule().
>
> v5:
>   goes back to ima_lsm_free_rule() instead to avoid freeing
> rule->fsname.
>
> v4:
>   Make use of the exisiting ima_free_rule() instead of backported
> ima_lsm_free_rule(). Which resolves additional memory leak issues.
>
> v3:
>   Backport "LSM: switch to blocking policy update notifiers" as well, as
> the prerequsite of "ima: use the lsm policy update notifier".
>
> v2:
>   Re-adjust the bacported logic.
>
> GUO Zihua (1):
>   ima: Handle -ESTALE returned by ima_filter_rule_match()
>
> Janne Karhunen (2):
>   LSM: switch to blocking policy update notifiers
>   ima: use the lsm policy update notifier

I'll defer to Mimi for the IMA bits, but the LSM and SELinux related
bits looks fine to me and appear to be faithful backports of patches
already in Linus' tree.

>  drivers/infiniband/core/device.c    |   4 +-
>  include/linux/security.h            |  12 +--
>  security/integrity/ima/ima.h        |   2 +
>  security/integrity/ima/ima_main.c   |   8 ++
>  security/integrity/ima/ima_policy.c | 151 ++++++++++++++++++++++------
>  security/security.c                 |  23 +++--
>  security/selinux/hooks.c            |   2 +-
>  security/selinux/selinuxfs.c        |   2 +-
>  8 files changed, 155 insertions(+), 49 deletions(-)
>
> --
> 2.17.1
Mimi Zohar Jan. 10, 2023, 1:29 p.m. UTC | #2
On Mon, 2023-01-09 at 21:51 -0500, Paul Moore wrote:
> On Thu, Jan 5, 2023 at 8:24 PM GUO Zihua <guozihua@huawei.com> wrote:
> >
> > Backports the following three patches to fix the issue of IMA mishandling
> > LSM based rule during LSM policy update, causing a file to match an
> > unexpected rule.
> >
> > v7:
> >   Fixed the target for free in ima_lsm_copy_rule().
> >
> > v6:
> >   Removed the redundent i in ima_free_rule().
> >
> > v5:
> >   goes back to ima_lsm_free_rule() instead to avoid freeing
> > rule->fsname.
> >
> > v4:
> >   Make use of the exisiting ima_free_rule() instead of backported
> > ima_lsm_free_rule(). Which resolves additional memory leak issues.
> >
> > v3:
> >   Backport "LSM: switch to blocking policy update notifiers" as well, as
> > the prerequsite of "ima: use the lsm policy update notifier".
> >
> > v2:
> >   Re-adjust the bacported logic.
> >
> > GUO Zihua (1):
> >   ima: Handle -ESTALE returned by ima_filter_rule_match()
> >
> > Janne Karhunen (2):
> >   LSM: switch to blocking policy update notifiers
> >   ima: use the lsm policy update notifier
> 
> I'll defer to Mimi for the IMA bits, but the LSM and SELinux related
> bits looks fine to me and appear to be faithful backports of patches
> already in Linus' tree.

Thanks, Paul, for reviewing and confirming that it looks fine.

Mimi

> 
> >  drivers/infiniband/core/device.c    |   4 +-
> >  include/linux/security.h            |  12 +--
> >  security/integrity/ima/ima.h        |   2 +
> >  security/integrity/ima/ima_main.c   |   8 ++
> >  security/integrity/ima/ima_policy.c | 151 ++++++++++++++++++++++------
> >  security/security.c                 |  23 +++--
> >  security/selinux/hooks.c            |   2 +-
> >  security/selinux/selinuxfs.c        |   2 +-
> >  8 files changed, 155 insertions(+), 49 deletions(-)
> >
> > --
> > 2.17.1
>