* [PATCH] ima: Handle error code from security_audit_rule_match
@ 2022-12-27 1:46 GUO Zihua
2022-12-27 11:22 ` Mimi Zohar
0 siblings, 1 reply; 3+ messages in thread
From: GUO Zihua @ 2022-12-27 1:46 UTC (permalink / raw)
To: zohar, dmitry.kasatkin; +Cc: linux-integrity
commit c7423dbdbc9e ("ima: Handle -ESTALE returned by
ima_filter_rule_match()") introduced the handling of -ESTALE returned by
security_audit_rule_match(). However, security_audit_rule_match() might
return other error codes if some error occurred. We should handle those
error codes as well.
Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
Signed-off-by: GUO Zihua <guozihua@huawei.com>
---
security/integrity/ima/ima_policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 6a68ec270822..5561e1b2c376 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -663,7 +663,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
break;
}
- if (rc == -ESTALE && !rule_reinitialized) {
+ if (rc < 0 && !rule_reinitialized) {
lsm_rule = ima_lsm_copy_rule(rule);
if (lsm_rule) {
rule_reinitialized = true;
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] ima: Handle error code from security_audit_rule_match
2022-12-27 1:46 [PATCH] ima: Handle error code from security_audit_rule_match GUO Zihua
@ 2022-12-27 11:22 ` Mimi Zohar
2022-12-30 7:05 ` Guozihua (Scott)
0 siblings, 1 reply; 3+ messages in thread
From: Mimi Zohar @ 2022-12-27 11:22 UTC (permalink / raw)
To: GUO Zihua, dmitry.kasatkin; +Cc: linux-integrity
On Tue, 2022-12-27 at 09:46 +0800, GUO Zihua wrote:
> commit c7423dbdbc9e ("ima: Handle -ESTALE returned by
> ima_filter_rule_match()") introduced the handling of -ESTALE returned by
> security_audit_rule_match(). However, security_audit_rule_match() might
> return other error codes if some error occurred. We should handle those
> error codes as well.
>
> Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
> Signed-off-by: GUO Zihua <guozihua@huawei.com>
> ---
> security/integrity/ima/ima_policy.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 6a68ec270822..5561e1b2c376 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -663,7 +663,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
> break;
> }
>
> - if (rc == -ESTALE && !rule_reinitialized) {
> + if (rc < 0 && !rule_reinitialized) {
Which other error codes are resolved by retrying?
> lsm_rule = ima_lsm_copy_rule(rule);
> if (lsm_rule) {
> rule_reinitialized = true;
--
Thanks,
Mimi
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] ima: Handle error code from security_audit_rule_match
2022-12-27 11:22 ` Mimi Zohar
@ 2022-12-30 7:05 ` Guozihua (Scott)
0 siblings, 0 replies; 3+ messages in thread
From: Guozihua (Scott) @ 2022-12-30 7:05 UTC (permalink / raw)
To: Mimi Zohar, dmitry.kasatkin; +Cc: linux-integrity
On 2022/12/27 19:22, Mimi Zohar wrote:
> On Tue, 2022-12-27 at 09:46 +0800, GUO Zihua wrote:
>> commit c7423dbdbc9e ("ima: Handle -ESTALE returned by
>> ima_filter_rule_match()") introduced the handling of -ESTALE returned by
>> security_audit_rule_match(). However, security_audit_rule_match() might
>> return other error codes if some error occurred. We should handle those
>> error codes as well.
>>
>> Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
>> Signed-off-by: GUO Zihua <guozihua@huawei.com>
>> ---
>> security/integrity/ima/ima_policy.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
>> index 6a68ec270822..5561e1b2c376 100644
>> --- a/security/integrity/ima/ima_policy.c
>> +++ b/security/integrity/ima/ima_policy.c
>> @@ -663,7 +663,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
>> break;
>> }
>>
>> - if (rc == -ESTALE && !rule_reinitialized) {
>> + if (rc < 0 && !rule_reinitialized) {
>
> Which other error codes are resolved by retrying?
Well I re-checked security_audit_rule_match() and it seems that only
-ESTALE can be handled. This patch could be ignored.
>
>> lsm_rule = ima_lsm_copy_rule(rule);
>> if (lsm_rule) {
>> rule_reinitialized = true;
>
--
Best
GUO Zihua
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-12-30 7:05 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-12-27 1:46 [PATCH] ima: Handle error code from security_audit_rule_match GUO Zihua
2022-12-27 11:22 ` Mimi Zohar
2022-12-30 7:05 ` Guozihua (Scott)
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.