From: "Guozihua (Scott)" <guozihua@huawei.com>
To: Mimi Zohar <zohar@linux.ibm.com>, <dmitry.kasatkin@gmail.com>,
<paul@paul-moore.com>, <jmorris@namei.org>, <serge@hallyn.com>
Cc: <linux-integrity@vger.kernel.org>,
<linux-security-module@vger.kernel.org>
Subject: Re: [PATCH v5 2/2] ima: Handle -ESTALE returned by ima_filter_rule_match()
Date: Fri, 23 Sep 2022 12:01:54 +0800 [thread overview]
Message-ID: <77c9c86b-85a6-aa87-e084-59a70bb47167@huawei.com> (raw)
In-Reply-To: <ce948f9e5639345026679b31a818cc12a247ce60.camel@linux.ibm.com>
On 2022/9/22 19:09, Mimi Zohar wrote:
> Hi Scott,
>
> On Wed, 2022-09-21 at 20:58 +0800, GUO Zihua wrote:
>> }
>> - if (!rc)
>> - return false;
>> +
>> + if (rc == -ESTALE && !rule_reinitialized) {
>
> Ok, this limits allocating ima_lsm_copy_rule() to the first -ESTALE,
>
>> + lsm_rule = ima_lsm_copy_rule(rule);
>> + if (lsm_rule) {
>> + rule_reinitialized = true;
>> + goto retry;
>
> but "retry" is also limited to the first -ESTALE.
Technically we would only need one retry. This loop is looping on all
the lsm members of one rule, and ima_lsm_copy_rule would update all the
lsm members of this rule. The "lsm member" here refers to LSM defined
properties like obj_user, obj_role etc. These members are of AND
relation, meaning all lsm members together would form one LSM rule.
As of the scenario you mentioned, I think it should be really rare.
Spending to much time and code on this might not worth it.
>
>> + }
>> + }
>> + if (!rc) {
>> + result = false;
>> + goto out;
>> + }
>> }
>> - return true;
>> + result = true;
>> +
>> +out:
>> + if (rule_reinitialized) {
>> + for (i = 0; i < MAX_LSM_RULES; i++)
>> + ima_filter_rule_free(lsm_rule->lsm[i].rule);
>> + kfree(lsm_rule);
>> + }
>> + return result;
>> }
>
--
Best
GUO Zihua
next prev parent reply other threads:[~2022-09-23 4:02 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-21 12:58 [PATCH v5 0/2] ima: Handle -ESTALE returned by ima_filter_rule_match() GUO Zihua
2022-09-21 12:58 ` [PATCH v5 1/2] ima: Simplify ima_lsm_copy_rule GUO Zihua
2022-09-21 12:58 ` [PATCH v5 2/2] ima: Handle -ESTALE returned by ima_filter_rule_match() GUO Zihua
2022-09-22 11:09 ` Mimi Zohar
2022-09-23 4:01 ` Guozihua (Scott) [this message]
2022-09-23 11:19 ` Mimi Zohar
2022-09-24 6:05 ` Guozihua (Scott)
2022-09-28 14:11 ` Mimi Zohar
2022-10-04 14:19 ` Roberto Sassu
2022-10-18 8:43 ` Guozihua (Scott)
2022-10-19 1:07 ` Mimi Zohar
2022-10-19 7:17 ` Guozihua (Scott)
2022-10-28 8:36 ` Guozihua (Scott)
2022-11-01 22:15 ` Mimi Zohar
2022-11-02 1:42 ` Guozihua (Scott)
2022-11-03 13:15 ` Mimi Zohar
2022-11-14 3:31 ` Guozihua (Scott)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=77c9c86b-85a6-aa87-e084-59a70bb47167@huawei.com \
--to=guozihua@huawei.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.