From: Mimi Zohar <zohar@linux.ibm.com>
To: GUO Zihua <guozihua@huawei.com>,
stable@vger.kernel.org, gregkh@linuxfoundation.org
Cc: paul@paul-moore.com, linux-integrity@vger.kernel.org,
luhuaxin1@huawei.com
Subject: Re: [PATCH v2 1/2] ima: use the lsm policy update notifier
Date: Tue, 03 Jan 2023 13:50:48 -0500 [thread overview]
Message-ID: <a93e895499a32160298b19636ab3157c541aee88.camel@linux.ibm.com> (raw)
In-Reply-To: <20230103022011.15741-2-guozihua@huawei.com>
On Tue, 2023-01-03 at 10:20 +0800, GUO Zihua wrote:
> From: Janne Karhunen <janne.karhunen@gmail.com>
>
> [ Upstream commit b169424551930a9325f700f502802f4d515194e5 ]
>
> This patch is backported to resolve the issue of IMA ignoreing LSM part of
> an LSM based rule. As the LSM notifier chain was an atomic notifier
> chain, we'll not be able to call synchronize_rcu() within our notifier
> handling function. Instead, we call the call_rcu() function to resolve
> the freeing issue. To do that, we would needs to include a rcu_head
> member in our rule, as well as wrap the call to ima_lsm_free_rule() into
> a rcu_callback_t type callback function.
>
> Original patch message is as follows:
>
> commit b169424551930a9325f700f502802f4d515194e5
> Author: Janne Karhunen <janne.karhunen@gmail.com>
> Date: Fri Jun 14 15:20:15 2019 +0300
>
> Don't do lazy policy updates while running the rule matching,
> run the updates as they happen.
>
> Depends on commit f242064c5df3 ("LSM: switch to blocking policy update
> notifiers")
>
> Signed-off-by: Janne Karhunen <janne.karhunen@gmail.com>
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
>
> Cc: stable@vger.kernel.org #4.19.y
> Signed-off-by: GUO Zihua <guozihua@huawei.com>
There was quite a bit of discussion regarding converting the atomic
notifier to blocking, but this backport doesn't make that change.
Refer to
https://lore.kernel.org/linux-integrity/CAHC9VhS=GsEVUmxtiV64o8G6i2nJpkzxzpyTADgN-vhV8pzZbg@mail.gmail.com/
Mimi
next prev parent reply other threads:[~2023-01-03 18:51 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-03 2:20 [PATCH v2 0/2] ima: Fix IMA mishandling of LSM based rule during GUO Zihua
2023-01-03 2:20 ` [PATCH v2 1/2] ima: use the lsm policy update notifier GUO Zihua
2023-01-03 18:50 ` Mimi Zohar [this message]
2023-01-04 1:27 ` Guozihua (Scott)
2023-01-03 2:20 ` [PATCH v2 2/2] ima: Handle -ESTALE returned by ima_filter_rule_match() GUO Zihua
-- strict thread matches above, loose matches on Subject: below --
2019-06-12 7:44 [PATCH v2 1/2] LSM: switch to blocking policy update notifiers Janne Karhunen
2019-06-12 7:44 ` [PATCH v2 1/2] ima: use the lsm policy update notifier Janne Karhunen
2019-06-12 13:24 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a93e895499a32160298b19636ab3157c541aee88.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=gregkh@linuxfoundation.org \
--cc=guozihua@huawei.com \
--cc=linux-integrity@vger.kernel.org \
--cc=luhuaxin1@huawei.com \
--cc=paul@paul-moore.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.