From: Stefan Berger <[email protected]>
Before printing a policy rule scan for inactive LSM labels in the policy
rule. Inactive LSM labels are identified by args_p != NULL and
rule == NULL.
Fixes: b16942455193 ("ima: use the lsm policy update notifier")
Signed-off-by: Stefan Berger <[email protected]>
---
security/integrity/ima/ima_policy.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 320ca80aacab..2a1f6418b10a 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1967,6 +1967,14 @@ int ima_policy_show(struct seq_file *m, void *v)
rcu_read_lock();
+ /* Do not print rules with inactive LSM labels */
+ for (i = 0; i < MAX_LSM_RULES; i++) {
+ if (entry->lsm[i].args_p && !entry->lsm[i].rule) {
+ rcu_read_unlock();
+ return 0;
+ }
+ }
+
if (entry->action & MEASURE)
seq_puts(m, pt(Opt_measure));
if (entry->action & DONT_MEASURE)
--
2.31.1
On Tue, Jan 25, 2022 at 05:46:24PM -0500, Stefan Berger wrote:
> From: Stefan Berger <[email protected]>
>
> Before printing a policy rule scan for inactive LSM labels in the policy
> rule. Inactive LSM labels are identified by args_p != NULL and
> rule == NULL.
>
> Fixes: b16942455193 ("ima: use the lsm policy update notifier")
That commit message of the referenced patch reads:
"Don't do lazy policy updates while running the rule matching, run the
updates as they happen."
and given that we had a lengthy discussion how to update the rules I'd
really would have liked an explanation why the update needs to run
immediately. Not doing it lazily is the whole reason we have this
notifier infra. Why can't this be done lazily?
Hi Christian,
On Wed, 2022-01-26 at 09:38 +0100, Christian Brauner wrote:
> On Tue, Jan 25, 2022 at 05:46:24PM -0500, Stefan Berger wrote:
> > From: Stefan Berger <[email protected]>
> >
> > Before printing a policy rule scan for inactive LSM labels in the policy
> > rule. Inactive LSM labels are identified by args_p != NULL and
> > rule == NULL.
> >
> > Fixes: b16942455193 ("ima: use the lsm policy update notifier")
Stefan, please refer to commit 483ec26eed42 ("ima: ima/lsm policy rule
loading logic bug fixes") instead.
>
> That commit message of the referenced patch reads:
>
> "Don't do lazy policy updates while running the rule matching, run the
> updates as they happen."
>
> and given that we had a lengthy discussion how to update the rules I'd
> really would have liked an explanation why the update needs to run
> immediately. Not doing it lazily is the whole reason we have this
> notifier infra. Why can't this be done lazily?
The subject of the original thread leading up to registering a block
notifier is titled
"Subject: sleep in selinux_audit_rule_init". The message id of the
original thread is
CAHC9VhS=GsEVUmxtiV64o8G6i2nJpkzxzpyTADgN-vhV8pzZbg@mail.gmail.com.
This patch addresses a bug and could be upstreamed independently the
IMA namespacing patch set. Should we defer including a summary from
the lazy update to block notifier discussion to "[PATCH v9 11/23] ima:
Move ima_lsm_policy_notifier into ima_namespace"?
thanks,
Mimi