| Message ID | 20230216124227.44058-1-guozihua@huawei.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Backport handling -ESTALE policy update failure to 4.19 | expand |
Hi Scott, On Thu, 2023-02-16 at 20:42 +0800, GUO Zihua wrote: > This series backports patches in order to resolve the issue discussed here: > https://lore.kernel.org/selinux/389334fe-6e12-96b2-6ce9-9f0e8fcb85bf@huawei.com/ > > This required backporting the non-blocking LSM policy update mechanism > prerequisite patches. As well as bugfixes that follows. For ease of reading, the above sentence should end with a colon and be followed with the list of commits. > > 66f67414c1f ("IB/core: Don't register each MAD agent for LSM notifier") > is merged as the prerequisite of 42df744c4166 ("LSM: switch to blocking > policy update notifiers"). > e144d6b26541 ("ima: Evaluate error in > init_ima()") is merged as a follow up bugfix for b16942455193 ("ima: > use the lsm policy update notifier"). > 483ec26eed42 ("ima: ima/lsm policy > rule loading logic bug fixes") and 9ff8a616dfab ("ima: Have the LSM free > its audit rule") is also followup bugfixes. The former would change the > behavior of rule loading without fixing any criticial bug so I don't > think it's necessary, while the latter has already been merged. Prior to the non-blocking LSM notifier was upstreamed, a custom IMA policy with LSM based policy rules could not be loaded until the LSM policy had been initialized. Commit 483ec26eed42 ("ima: ima/lsm policy rule loading logic bug fixes") reverts the unintended change in behavior. > > I've tested the patches against said issue and can confirm that the > issue is fixed. > > This is a re-send of the original patchset as the original patchset > might have a faulty cover letter. The original patchset could be found > here: > https://patchwork.kernel.org/project/linux-integrity/list/?series=709367 In addition to a "faulty cover letter", included in this version additional patches are being backported. Probably better to drop this comment or to include a "Link:" to the mailing list discussion, as described in Documentation/process/submitting-patches. > > Change log: > v2: Fixed build issue and backport bugfix commits for backported > patches. > > Daniel Jurgens (1): > IB/core: Don't register each MAD agent for LSM notifier > > GUO Zihua (1): > ima: Handle -ESTALE returned by ima_filter_rule_match() > > Janne Karhunen (2): > LSM: switch to blocking policy update notifiers > ima: use the lsm policy update notifier > > Roberto Sassu (1): > ima: Evaluate error in init_ima() > > drivers/infiniband/core/core_priv.h | 5 + > drivers/infiniband/core/device.c | 5 +- > drivers/infiniband/core/security.c | 51 +++++----- > include/linux/security.h | 12 +-- > include/rdma/ib_mad.h | 3 +- > security/integrity/ima/ima.h | 2 + > security/integrity/ima/ima_main.c | 11 ++ > security/integrity/ima/ima_policy.c | 151 ++++++++++++++++++++++------ > security/security.c | 23 +++-- > security/selinux/hooks.c | 2 +- > security/selinux/selinuxfs.c | 2 +- > 11 files changed, 193 insertions(+), 74 deletions(-) >
On 2023/2/22 23:24, Mimi Zohar wrote: > Hi Scott, > > On Thu, 2023-02-16 at 20:42 +0800, GUO Zihua wrote: >> This series backports patches in order to resolve the issue discussed here: >> https://lore.kernel.org/selinux/389334fe-6e12-96b2-6ce9-9f0e8fcb85bf@huawei.com/ >> >> This required backporting the non-blocking LSM policy update mechanism >> prerequisite patches. As well as bugfixes that follows. > > For ease of reading, the above sentence should end with a colon and be > followed with the list of commits. Sure thing. Will make the change. >> >> 66f67414c1f ("IB/core: Don't register each MAD agent for LSM notifier") >> is merged as the prerequisite of 42df744c4166 ("LSM: switch to blocking >> policy update notifiers"). > >> e144d6b26541 ("ima: Evaluate error in >> init_ima()") is merged as a follow up bugfix for b16942455193 ("ima: >> use the lsm policy update notifier"). > >> 483ec26eed42 ("ima: ima/lsm policy >> rule loading logic bug fixes") and 9ff8a616dfab ("ima: Have the LSM free >> its audit rule") is also followup bugfixes. The former would change the >> behavior of rule loading without fixing any criticial bug so I don't >> think it's necessary, while the latter has already been merged. > > Prior to the non-blocking LSM notifier was upstreamed, a custom IMA > policy with LSM based policy rules could not be loaded until the LSM > policy had been initialized. Commit 483ec26eed42 ("ima: ima/lsm policy > rule loading logic bug fixes") reverts the unintended change in > behavior. Right. I thought that commit was an "feature addition" rather than a fix. I'll include that in the backport. > >> >> I've tested the patches against said issue and can confirm that the >> issue is fixed. >> >> This is a re-send of the original patchset as the original patchset >> might have a faulty cover letter. The original patchset could be found >> here: >> https://patchwork.kernel.org/project/linux-integrity/list/?series=709367 > > In addition to a "faulty cover letter", included in this version > additional patches are being backported. > > Probably better to drop this comment or to include a "Link:" to the > mailing list discussion, as described in > Documentation/process/submitting-patches. Got it. > >> >> Change log: >> v2: Fixed build issue and backport bugfix commits for backported >> patches. >> >> Daniel Jurgens (1): >> IB/core: Don't register each MAD agent for LSM notifier >> >> GUO Zihua (1): >> ima: Handle -ESTALE returned by ima_filter_rule_match() >> >> Janne Karhunen (2): >> LSM: switch to blocking policy update notifiers >> ima: use the lsm policy update notifier >> >> Roberto Sassu (1): >> ima: Evaluate error in init_ima() >> >> drivers/infiniband/core/core_priv.h | 5 + >> drivers/infiniband/core/device.c | 5 +- >> drivers/infiniband/core/security.c | 51 +++++----- >> include/linux/security.h | 12 +-- >> include/rdma/ib_mad.h | 3 +- >> security/integrity/ima/ima.h | 2 + >> security/integrity/ima/ima_main.c | 11 ++ >> security/integrity/ima/ima_policy.c | 151 ++++++++++++++++++++++------ >> security/security.c | 23 +++-- >> security/selinux/hooks.c | 2 +- >> security/selinux/selinuxfs.c | 2 +- >> 11 files changed, 193 insertions(+), 74 deletions(-) >>
This series backports patches in order to resolve the issue discussed here: https://lore.kernel.org/selinux/389334fe-6e12-96b2-6ce9-9f0e8fcb85bf@huawei.com/ This required backporting the non-blocking LSM policy update mechanism prerequisite patches. As well as bugfixes that follows. c66f67414c1f ("IB/core: Don't register each MAD agent for LSM notifier") is merged as the prerequisite of 42df744c4166 ("LSM: switch to blocking policy update notifiers"). e144d6b26541 ("ima: Evaluate error in init_ima()") is merged as a follow up bugfix for b16942455193 ("ima: use the lsm policy update notifier"). 483ec26eed42 ("ima: ima/lsm policy rule loading logic bug fixes") and 9ff8a616dfab ("ima: Have the LSM free its audit rule") is also followup bugfixes. The former would change the behavior of rule loading without fixing any criticial bug so I don't think it's necessary, while the latter has already been merged. I've tested the patches against said issue and can confirm that the issue is fixed. This is a re-send of the original patchset as the original patchset might have a faulty cover letter. The original patchset could be found here: https://patchwork.kernel.org/project/linux-integrity/list/?series=709367 Change log: v2: Fixed build issue and backport bugfix commits for backported patches. Daniel Jurgens (1): IB/core: Don't register each MAD agent for LSM notifier GUO Zihua (1): ima: Handle -ESTALE returned by ima_filter_rule_match() Janne Karhunen (2): LSM: switch to blocking policy update notifiers ima: use the lsm policy update notifier Roberto Sassu (1): ima: Evaluate error in init_ima() drivers/infiniband/core/core_priv.h | 5 + drivers/infiniband/core/device.c | 5 +- drivers/infiniband/core/security.c | 51 +++++----- include/linux/security.h | 12 +-- include/rdma/ib_mad.h | 3 +- security/integrity/ima/ima.h | 2 + security/integrity/ima/ima_main.c | 11 ++ security/integrity/ima/ima_policy.c | 151 ++++++++++++++++++++++------ security/security.c | 23 +++-- security/selinux/hooks.c | 2 +- security/selinux/selinuxfs.c | 2 +- 11 files changed, 193 insertions(+), 74 deletions(-)