On 2023/1/4 2:50, Mimi Zohar wrote:
On Tue, 2023-01-03 at 10:20 +0800, GUO Zihua wrote:
From: Janne Karhunen janne.karhunen@gmail.com
[ Upstream commit b169424551930a9325f700f502802f4d515194e5 ]
This patch is backported to resolve the issue of IMA ignoreing LSM part of an LSM based rule. As the LSM notifier chain was an atomic notifier chain, we'll not be able to call synchronize_rcu() within our notifier handling function. Instead, we call the call_rcu() function to resolve the freeing issue. To do that, we would needs to include a rcu_head member in our rule, as well as wrap the call to ima_lsm_free_rule() into a rcu_callback_t type callback function.
Original patch message is as follows:
commit b169424551930a9325f700f502802f4d515194e5 Author: Janne Karhunen janne.karhunen@gmail.com Date: Fri Jun 14 15:20:15 2019 +0300
Don't do lazy policy updates while running the rule matching, run the updates as they happen.
Depends on commit f242064c5df3 ("LSM: switch to blocking policy update notifiers")
Signed-off-by: Janne Karhunen janne.karhunen@gmail.com Signed-off-by: Mimi Zohar zohar@linux.ibm.com
Cc: stable@vger.kernel.org #4.19.y Signed-off-by: GUO Zihua guozihua@huawei.com
There was quite a bit of discussion regarding converting the atomic notifier to blocking, but this backport doesn't make that change.
Refer to https://lore.kernel.org/linux-integrity/CAHC9VhS=GsEVUmxtiV64o8G6i2nJpkzxzpy...
Well it seems that the bug mentioned here is still valid on 4.19.y. Which is worrying. I'll try backporting the blocking notifier change as well.
Mimi