Backports the following three patches to fix the issue of IMA mishandling LSM based rule during LSM policy update, causing a file to match an unexpected rule.
v4: Make use of the exisiting ima_free_rule() instead of backported ima_lsm_free_rule(). Which resolves additional memory leak issues.
v3: Backport "LSM: switch to blocking policy update notifiers" as well, as the prerequsite of "ima: use the lsm policy update notifier".
v2: Re-adjust the bacported logic.
GUO Zihua (1): ima: Handle -ESTALE returned by ima_filter_rule_match()
Janne Karhunen (2): LSM: switch to blocking policy update notifiers ima: use the lsm policy update notifier
drivers/infiniband/core/device.c | 4 +- include/linux/security.h | 12 +-- security/integrity/ima/ima.h | 2 + security/integrity/ima/ima_main.c | 8 ++ security/integrity/ima/ima_policy.c | 136 ++++++++++++++++++++++------ security/security.c | 23 +++-- security/selinux/hooks.c | 2 +- security/selinux/selinuxfs.c | 2 +- 8 files changed, 143 insertions(+), 46 deletions(-)