diff mbox series

[v9,02/23] ima: Do not print policy rule with inactive LSM labels

Message ID 20220125224645.79319-3-stefanb@linux.vnet.ibm.com (mailing list archive)
State New, archived
Headers show
Series ima: Namespace IMA with audit support in IMA-ns | expand

Commit Message

Stefan Berger Jan. 25, 2022, 10:46 p.m. UTC 
From: Stefan Berger <stefanb@linux.ibm.com>

Before printing a policy rule scan for inactive LSM labels in the policy
rule. Inactive LSM labels are identified by args_p != NULL and
rule == NULL.

Fixes: b16942455193 ("ima: use the lsm policy update notifier")
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 security/integrity/ima/ima_policy.c | 8 ++++++++
 1 file changed, 8 insertions(+)

Comments

Christian Brauner Jan. 26, 2022, 8:38 a.m. UTC | #1 
On Tue, Jan 25, 2022 at 05:46:24PM -0500, Stefan Berger wrote:
> From: Stefan Berger <stefanb@linux.ibm.com>
> 
> Before printing a policy rule scan for inactive LSM labels in the policy
> rule. Inactive LSM labels are identified by args_p != NULL and
> rule == NULL.
> 
> Fixes: b16942455193 ("ima: use the lsm policy update notifier")

That commit message of the referenced patch reads:

"Don't do lazy policy updates while running the rule matching, run the
updates as they happen."

and given that we had a lengthy discussion how to update the rules I'd
really would have liked an explanation why the update needs to run
immediately. Not doing it lazily is the whole reason we have this
notifier infra. Why can't this be done lazily?
Mimi Zohar Jan. 27, 2022, 2:12 p.m. UTC | #2 
Hi Christian,

On Wed, 2022-01-26 at 09:38 +0100, Christian Brauner wrote:
> On Tue, Jan 25, 2022 at 05:46:24PM -0500, Stefan Berger wrote:
> > From: Stefan Berger <stefanb@linux.ibm.com>
> > 
> > Before printing a policy rule scan for inactive LSM labels in the policy
> > rule. Inactive LSM labels are identified by args_p != NULL and
> > rule == NULL.
> > 
> > Fixes: b16942455193 ("ima: use the lsm policy update notifier")

Stefan, please refer to commit 483ec26eed42 ("ima: ima/lsm policy rule
loading logic bug fixes") instead.

> 
> That commit message of the referenced patch reads:
> 
> "Don't do lazy policy updates while running the rule matching, run the
> updates as they happen."
> 
> and given that we had a lengthy discussion how to update the rules I'd
> really would have liked an explanation why the update needs to run
> immediately. Not doing it lazily is the whole reason we have this
> notifier infra. Why can't this be done lazily?

The subject of the original thread leading up to registering a block
notifier is titled
"Subject: sleep in selinux_audit_rule_init".  The message id of the
original thread is 
CAHC9VhS=GsEVUmxtiV64o8G6i2nJpkzxzpyTADgN-vhV8pzZbg@mail.gmail.com.

This patch addresses a bug and could be upstreamed independently the
IMA namespacing patch set.  Should we defer including a summary from
the lazy update to block notifier discussion to "[PATCH v9 11/23] ima:
Move ima_lsm_policy_notifier into ima_namespace"?

thanks,

Mimi
diff mbox series

Patch

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 320ca80aacab..2a1f6418b10a 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1967,6 +1967,14 @@  int ima_policy_show(struct seq_file *m, void *v)
 
 	rcu_read_lock();
 
+	/* Do not print rules with inactive LSM labels */
+	for (i = 0; i < MAX_LSM_RULES; i++) {
+		if (entry->lsm[i].args_p && !entry->lsm[i].rule) {
+			rcu_read_unlock();
+			return 0;
+		}
+	}
+
 	if (entry->action & MEASURE)
 		seq_puts(m, pt(Opt_measure));
 	if (entry->action & DONT_MEASURE)