Re: [PATCH v20 12/23] IMA: Change internal interfaces to use lsmblobs
On Wed, Aug 26, 2020 at 11:14 AM Casey Schaufler <casey(a)schaufler-ca.com> wrote:
The IMA interfaces ima_get_action() and ima_match_policy()
call LSM functions that use lsmblobs. Change the IMA functions
to pass the lsmblob to be compatible with the LSM functions.
Reviewed-by: Kees Cook <keescook(a)chromium.org>
Reviewed-by: John Johansen <john.johansen(a)canonical.com>
Acked-by: Stephen Smalley <sds(a)tycho.nsa.gov>
Signed-off-by: Casey Schaufler <casey(a)schaufler-ca.com>
cc: linux-integrity(a)vger.kernel.org
---
security/integrity/ima/ima.h | 11 +++++----
security/integrity/ima/ima_api.c | 10 ++++----
security/integrity/ima/ima_appraise.c | 6 ++---
security/integrity/ima/ima_main.c | 35 +++++++++++----------------
security/integrity/ima/ima_policy.c | 14 +++++------
5 files changed, 34 insertions(+), 42 deletions(-)
...
diff --git a/security/integrity/ima/ima_policy.c
b/security/integrity/ima/ima_policy.c
index a86b35dad4fa..b057c758b430 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -519,7 +519,6 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode
*inode,
case LSM_SUBJ_USER:
case LSM_SUBJ_ROLE:
case LSM_SUBJ_TYPE:
- lsmblob_init(&lsmdata, secid);
rc = ima_filter_rule_match(&lsmdata, rule->lsm[i].type,
Audit_equal,
rule->lsm[i].rules);
I'm jumping across patches in this patchset so I may have missed
something, but I think the ima_filter_rule_match() call should be
using the passed "blob" pointer and not the local "lsmdata" right?
If
this is correct, I think this patch can also remove the local
"lsmdata" as well.
--
paul moore
www.paul-moore.com