On Wed, Aug 26, 2020 at 11:14 AM Casey Schaufler <[email protected]> wrote: > > The IMA interfaces ima_get_action() and ima_match_policy() > call LSM functions that use lsmblobs. Change the IMA functions > to pass the lsmblob to be compatible with the LSM functions. > > Reviewed-by: Kees Cook <[email protected]> > Reviewed-by: John Johansen <[email protected]> > Acked-by: Stephen Smalley <[email protected]> > Signed-off-by: Casey Schaufler <[email protected]> > cc: [email protected] > --- > security/integrity/ima/ima.h | 11 +++++---- > security/integrity/ima/ima_api.c | 10 ++++---- > security/integrity/ima/ima_appraise.c | 6 ++--- > security/integrity/ima/ima_main.c | 35 +++++++++++---------------- > security/integrity/ima/ima_policy.c | 14 +++++------ > 5 files changed, 34 insertions(+), 42 deletions(-)
... > diff --git a/security/integrity/ima/ima_policy.c > b/security/integrity/ima/ima_policy.c > index a86b35dad4fa..b057c758b430 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -519,7 +519,6 @@ static bool ima_match_rules(struct ima_rule_entry *rule, > struct inode *inode, > case LSM_SUBJ_USER: > case LSM_SUBJ_ROLE: > case LSM_SUBJ_TYPE: > - lsmblob_init(&lsmdata, secid); > rc = ima_filter_rule_match(&lsmdata, > rule->lsm[i].type, > Audit_equal, > rule->lsm[i].rules); I'm jumping across patches in this patchset so I may have missed something, but I think the ima_filter_rule_match() call should be using the passed "blob" pointer and not the local "lsmdata" right? If this is correct, I think this patch can also remove the local "lsmdata" as well. -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
