| Message ID | 20230228080630.52370-1-guozihua@huawei.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Backport handling -ESTALE policy update failure to 4.19 | expand |
On Tue, Feb 28, 2023 at 3:09 AM GUO Zihua <guozihua@huawei.com> wrote: > > This series backports patches in order to resolve the issue discussed here: > https://lore.kernel.org/selinux/389334fe-6e12-96b2-6ce9-9f0e8fcb85bf@huawei.com/ > > This required backporting the non-blocking LSM policy update mechanism > prerequisite patches. As well as bugfixes that follows: > > c66f67414c1f ("IB/core: Don't register each MAD agent for LSM notifier") > 42df744c4166 ("LSM: switch to blocking policy update notifiers") > b16942455193 ("ima: use the lsm policy update notifier") > 483ec26eed42 ("ima: ima/lsm policy rule loading logic bug fixes") > e144d6b26541 ("ima: Evaluate error in init_ima()") > c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") > > c66f67414c1f ("IB/core: Don't register each MAD agent for LSM notifier") > is merged as the prerequisite of 42df744c4166 ("LSM: switch to blocking > policy update notifiers"). e144d6b26541 ("ima: Evaluate error in > init_ima()"), 483ec26eed42 ("ima: ima/lsm policy rule loading logic bug > fixes") and 9ff8a616dfab ("ima: Have the LSM free its audit rule") are > merged as a follow up bugfix for b16942455193 ("ima: use the lsm policy > update notifier"). > > I've tested the patches against said issue and can confirm that the > issue is fixed. > > Link to the original maillist discussion: > https://lore.kernel.org/all/389334fe-6e12-96b2-6ce9-9f0e8fcb85bf@huawei.com/ > > Change log: > v2: Fixed build issue and backport bugfix commits for backported > patches. Is there a quick summary of the changes in v3 of this patchset?
On Tue, 2023-02-28 at 11:25 -0500, Paul Moore wrote: > On Tue, Feb 28, 2023 at 3:09 AM GUO Zihua <guozihua@huawei.com> wrote: > > > > This series backports patches in order to resolve the issue discussed here: > > https://lore.kernel.org/selinux/389334fe-6e12-96b2-6ce9-9f0e8fcb85bf@huawei.com/ > > > > This required backporting the non-blocking LSM policy update mechanism > > prerequisite patches. As well as bugfixes that follows: > > > > c66f67414c1f ("IB/core: Don't register each MAD agent for LSM notifier") > > 42df744c4166 ("LSM: switch to blocking policy update notifiers") > > b16942455193 ("ima: use the lsm policy update notifier") > > 483ec26eed42 ("ima: ima/lsm policy rule loading logic bug fixes") > > e144d6b26541 ("ima: Evaluate error in init_ima()") > > c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") > > > > c66f67414c1f ("IB/core: Don't register each MAD agent for LSM notifier") > > is merged as the prerequisite of 42df744c4166 ("LSM: switch to blocking > > policy update notifiers"). e144d6b26541 ("ima: Evaluate error in > > init_ima()"), 483ec26eed42 ("ima: ima/lsm policy rule loading logic bug > > fixes") and 9ff8a616dfab ("ima: Have the LSM free its audit rule") are > > merged as a follow up bugfix for b16942455193 ("ima: use the lsm policy > > update notifier"). Scott, there's no need to duplicate the list of commits like this. Having an unordered list would have been fine. > > > > I've tested the patches against said issue and can confirm that the > > issue is fixed. > > > > Link to the original maillist discussion: > > https://lore.kernel.org/all/389334fe-6e12-96b2-6ce9-9f0e8fcb85bf@huawei.com/ > > > > Change log: > > v2: Fixed build issue and backport bugfix commits for backported > > patches. > > Is there a quick summary of the changes in v3 of this patchset? v3: Backport commit 483ec26eed42b ("ima: ima/lsm policy rule loading logic bug fixes") as well.
On 2023/3/1 3:45, Mimi Zohar wrote: > On Tue, 2023-02-28 at 11:25 -0500, Paul Moore wrote: >> On Tue, Feb 28, 2023 at 3:09 AM GUO Zihua <guozihua@huawei.com> wrote: >>> >>> This series backports patches in order to resolve the issue discussed here: >>> https://lore.kernel.org/selinux/389334fe-6e12-96b2-6ce9-9f0e8fcb85bf@huawei.com/ >>> >>> This required backporting the non-blocking LSM policy update mechanism >>> prerequisite patches. As well as bugfixes that follows: >>> >>> c66f67414c1f ("IB/core: Don't register each MAD agent for LSM notifier") >>> 42df744c4166 ("LSM: switch to blocking policy update notifiers") >>> b16942455193 ("ima: use the lsm policy update notifier") >>> 483ec26eed42 ("ima: ima/lsm policy rule loading logic bug fixes") >>> e144d6b26541 ("ima: Evaluate error in init_ima()") >>> c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") >>> >>> c66f67414c1f ("IB/core: Don't register each MAD agent for LSM notifier") >>> is merged as the prerequisite of 42df744c4166 ("LSM: switch to blocking >>> policy update notifiers"). e144d6b26541 ("ima: Evaluate error in >>> init_ima()"), 483ec26eed42 ("ima: ima/lsm policy rule loading logic bug >>> fixes") and 9ff8a616dfab ("ima: Have the LSM free its audit rule") are >>> merged as a follow up bugfix for b16942455193 ("ima: use the lsm policy >>> update notifier"). > > Scott, there's no need to duplicate the list of commits like this. > Having an unordered list would have been fine. > >>> >>> I've tested the patches against said issue and can confirm that the >>> issue is fixed. >>> >>> Link to the original maillist discussion: >>> https://lore.kernel.org/all/389334fe-6e12-96b2-6ce9-9f0e8fcb85bf@huawei.com/ >>> >>> Change log: >>> v2: Fixed build issue and backport bugfix commits for backported >>> patches. >> >> Is there a quick summary of the changes in v3 of this patchset? > > v3: Backport commit 483ec26eed42b ("ima: ima/lsm policy rule loading > logic bug fixes") as well. > Oh Shoot! Totally forgot about it. Sorry. The change is as Mimi said, backporting an additional IMA bugfix commit.
This series backports patches in order to resolve the issue discussed here: https://lore.kernel.org/selinux/389334fe-6e12-96b2-6ce9-9f0e8fcb85bf@huawei.com/ This required backporting the non-blocking LSM policy update mechanism prerequisite patches. As well as bugfixes that follows: c66f67414c1f ("IB/core: Don't register each MAD agent for LSM notifier") 42df744c4166 ("LSM: switch to blocking policy update notifiers") b16942455193 ("ima: use the lsm policy update notifier") 483ec26eed42 ("ima: ima/lsm policy rule loading logic bug fixes") e144d6b26541 ("ima: Evaluate error in init_ima()") c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") c66f67414c1f ("IB/core: Don't register each MAD agent for LSM notifier") is merged as the prerequisite of 42df744c4166 ("LSM: switch to blocking policy update notifiers"). e144d6b26541 ("ima: Evaluate error in init_ima()"), 483ec26eed42 ("ima: ima/lsm policy rule loading logic bug fixes") and 9ff8a616dfab ("ima: Have the LSM free its audit rule") are merged as a follow up bugfix for b16942455193 ("ima: use the lsm policy update notifier"). I've tested the patches against said issue and can confirm that the issue is fixed. Link to the original maillist discussion: https://lore.kernel.org/all/389334fe-6e12-96b2-6ce9-9f0e8fcb85bf@huawei.com/ Change log: v2: Fixed build issue and backport bugfix commits for backported patches. Daniel Jurgens (1): IB/core: Don't register each MAD agent for LSM notifier GUO Zihua (1): ima: Handle -ESTALE returned by ima_filter_rule_match() Janne Karhunen (3): LSM: switch to blocking policy update notifiers ima: use the lsm policy update notifier ima: ima/lsm policy rule loading logic bug fixes Roberto Sassu (1): ima: Evaluate error in init_ima() drivers/infiniband/core/core_priv.h | 5 + drivers/infiniband/core/device.c | 5 +- drivers/infiniband/core/security.c | 51 +++++---- include/linux/security.h | 12 +- include/rdma/ib_mad.h | 3 +- security/integrity/ima/ima.h | 2 + security/integrity/ima/ima_main.c | 11 ++ security/integrity/ima/ima_policy.c | 172 ++++++++++++++++++++++------ security/security.c | 23 ++-- security/selinux/hooks.c | 2 +- security/selinux/selinuxfs.c | 2 +- 11 files changed, 208 insertions(+), 80 deletions(-)