Re: [PATCH v24 04/25] IMA: avoid label collisions with stacked LSMs
From: Mimi Zohar
Date: Mon Feb 22 2021 - 19:28:32 EST
On Mon, 2021-02-22 at 15:45 -0800, Casey Schaufler wrote:
> On 2/14/2021 10:21 AM, Mimi Zohar wrote:
>
> Would these changes match your suggestion?
>
> security/integrity/ima/ima_policy.c | 24 ++++++++++++------------
> 1 file changed, 12 insertions(+), 12 deletions(-)
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 9ac673472781..e80956548243 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -78,11 +78,11 @@ struct ima_rule_entry {
> bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */
> bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */
> int pcr;
> + int which_lsm; /* which of the rules to use */
> struct {
> void *rules[LSMBLOB_ENTRIES]; /* LSM file metadata specific */
If each IMA policy rule may only contain a single LSM specific
LSM_OBJ_{USER | ROLE | TYPE} and LSM_SUBJ_{USER | ROLE | TYPE}, then
there is no need for rules[LSMBLOB_ENTRIES]. Leave it as "*rule".
Otherwise it looks good.
Mimi
> char *args_p; /* audit value */
> int type; /* audit type */
> - int which_lsm; /* which of the rules to use */
> } lsm[MAX_LSM_RULES];
> char *fsname;
> struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */