From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5B7DDC04FDE for ; Fri, 9 Dec 2022 08:59:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229728AbiLII7U (ORCPT ); Fri, 9 Dec 2022 03:59:20 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59560 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229482AbiLII7T (ORCPT ); Fri, 9 Dec 2022 03:59:19 -0500 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 254A94B9A0; Fri, 9 Dec 2022 00:59:19 -0800 (PST) Received: from dggpemm500024.china.huawei.com (unknown [172.30.72.55]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4NT4gP0Q3RzmWMF; Fri, 9 Dec 2022 16:58:25 +0800 (CST) Received: from [10.67.110.173] (10.67.110.173) by dggpemm500024.china.huawei.com (7.185.36.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Fri, 9 Dec 2022 16:59:17 +0800 Message-ID: <58219c48-840d-b4f3-b195-82b2a1465b37@huawei.com> Date: Fri, 9 Dec 2022 16:59:17 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.3.2 Subject: Re: [RFC] IMA LSM based rule race condition issue on 4.19 LTS Content-Language: en-US To: Greg KH CC: Mimi Zohar , , Paul Moore , , , , , "linux-integrity@vger.kernel.org" , References: <389334fe-6e12-96b2-6ce9-9f0e8fcb85bf@huawei.com> <93d137dc-e0d3-3741-7e01-dca1ba9c0903@huawei.com> From: "Guozihua (Scott)" In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [10.67.110.173] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To dggpemm500024.china.huawei.com (7.185.36.203) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org On 2022/12/9 16:46, Greg KH wrote: > On Fri, Dec 09, 2022 at 03:53:25PM +0800, Guozihua (Scott) wrote: >> On 2022/12/9 15:12, Greg KH wrote: >>> On Fri, Dec 09, 2022 at 03:00:35PM +0800, Guozihua (Scott) wrote: >>>> Hi community. >>>> >>>> Previously our team reported a race condition in IMA relates to LSM based >>>> rules which would case IMA to match files that should be filtered out under >>>> normal condition. The issue was originally analyzed and fixed on mainstream. >>>> The patch and the discussion could be found here: >>>> https://lore.kernel.org/all/20220921125804.59490-1-guozihua@huawei.com/ >>>> >>>> After that, we did a regression test on 4.19 LTS and the same issue arises. >>>> Further analysis reveled that the issue is from a completely different >>>> cause. >>> >>> What commit in the tree fixed this in newer kernels? Why can't we just >>> backport that one to 4.19.y as well? >>> >>> thanks, >>> >>> greg k-h >> >> Hi Greg, >> >> The fix for mainline is now on linux-next, commit d57378d3aa4d ("ima: >> Simplify ima_lsm_copy_rule") and c7423dbdbc9ece ("ima: Handle -ESTALE >> returned by ima_filter_rule_match()"). However, these patches cannot be >> picked directly into 4.19.y due to code difference. > > Ok, so it's much more than just 4.19 that's an issue here. And are > those commits tagged for stable inclusion? Not actually, not on the commit itself. > >> The commit which introduced the issue on mainline was believed to be >> b16942455193 ("ima: use the lsm policy update notifier"), which is not in >> 4.19.y. And the mainline patch is designed to handle the situation when IMA >> rules are accessed through RCU which has not been implemented on 4.19.y >> either. > > Ok, then provide a series of backports to 4.19 and we will be glad to > review them. If we are backporting these commits to 4.19 then maybe we would have to start with the commit that makes rule access in IMA RCU protected. I'll have a look into whether it's easy to do. > > thanks, > > greg k-h -- Best GUO Zihua