All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] ima: Handle error code from security_audit_rule_match
@ 2022-12-27  1:46 GUO Zihua
  2022-12-27 11:22 ` Mimi Zohar
  0 siblings, 1 reply; 3+ messages in thread
From: GUO Zihua @ 2022-12-27  1:46 UTC (permalink / raw)
  To: zohar, dmitry.kasatkin; +Cc: linux-integrity

commit c7423dbdbc9e ("ima: Handle -ESTALE returned by
ima_filter_rule_match()") introduced the handling of -ESTALE returned by
security_audit_rule_match(). However, security_audit_rule_match() might
return other error codes if some error occurred. We should handle those
error codes as well.

Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
Signed-off-by: GUO Zihua <guozihua@huawei.com>
---
 security/integrity/ima/ima_policy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 6a68ec270822..5561e1b2c376 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -663,7 +663,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
 			break;
 		}
 
-		if (rc == -ESTALE && !rule_reinitialized) {
+		if (rc < 0 && !rule_reinitialized) {
 			lsm_rule = ima_lsm_copy_rule(rule);
 			if (lsm_rule) {
 				rule_reinitialized = true;
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] ima: Handle error code from security_audit_rule_match
  2022-12-27  1:46 [PATCH] ima: Handle error code from security_audit_rule_match GUO Zihua
@ 2022-12-27 11:22 ` Mimi Zohar
  2022-12-30  7:05   ` Guozihua (Scott)
  0 siblings, 1 reply; 3+ messages in thread
From: Mimi Zohar @ 2022-12-27 11:22 UTC (permalink / raw)
  To: GUO Zihua, dmitry.kasatkin; +Cc: linux-integrity

On Tue, 2022-12-27 at 09:46 +0800, GUO Zihua wrote:
> commit c7423dbdbc9e ("ima: Handle -ESTALE returned by
> ima_filter_rule_match()") introduced the handling of -ESTALE returned by
> security_audit_rule_match(). However, security_audit_rule_match() might
> return other error codes if some error occurred. We should handle those
> error codes as well.
> 
> Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
> Signed-off-by: GUO Zihua <guozihua@huawei.com>
> ---
>  security/integrity/ima/ima_policy.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 6a68ec270822..5561e1b2c376 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -663,7 +663,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
>  			break;
>  		}
>  
> -		if (rc == -ESTALE && !rule_reinitialized) {
> +		if (rc < 0 && !rule_reinitialized) {

Which other error codes are resolved by retrying?

>  			lsm_rule = ima_lsm_copy_rule(rule);
>  			if (lsm_rule) {
>  				rule_reinitialized = true;

-- 
Thanks,

Mimi


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] ima: Handle error code from security_audit_rule_match
  2022-12-27 11:22 ` Mimi Zohar
@ 2022-12-30  7:05   ` Guozihua (Scott)
  0 siblings, 0 replies; 3+ messages in thread
From: Guozihua (Scott) @ 2022-12-30  7:05 UTC (permalink / raw)
  To: Mimi Zohar, dmitry.kasatkin; +Cc: linux-integrity

On 2022/12/27 19:22, Mimi Zohar wrote:
> On Tue, 2022-12-27 at 09:46 +0800, GUO Zihua wrote:
>> commit c7423dbdbc9e ("ima: Handle -ESTALE returned by
>> ima_filter_rule_match()") introduced the handling of -ESTALE returned by
>> security_audit_rule_match(). However, security_audit_rule_match() might
>> return other error codes if some error occurred. We should handle those
>> error codes as well.
>>
>> Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
>> Signed-off-by: GUO Zihua <guozihua@huawei.com>
>> ---
>>  security/integrity/ima/ima_policy.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
>> index 6a68ec270822..5561e1b2c376 100644
>> --- a/security/integrity/ima/ima_policy.c
>> +++ b/security/integrity/ima/ima_policy.c
>> @@ -663,7 +663,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
>>  			break;
>>  		}
>>  
>> -		if (rc == -ESTALE && !rule_reinitialized) {
>> +		if (rc < 0 && !rule_reinitialized) {
> 
> Which other error codes are resolved by retrying?
Well I re-checked security_audit_rule_match() and it seems that only
-ESTALE can be handled. This patch could be ignored.
> 
>>  			lsm_rule = ima_lsm_copy_rule(rule);
>>  			if (lsm_rule) {
>>  				rule_reinitialized = true;
> 

-- 
Best
GUO Zihua


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-12-30  7:05 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-12-27  1:46 [PATCH] ima: Handle error code from security_audit_rule_match GUO Zihua
2022-12-27 11:22 ` Mimi Zohar
2022-12-30  7:05   ` Guozihua (Scott)

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.