On Mon, 2026-07-06 at 23:03 -0400, Mimi Zohar wrote:
> On Thu, 2026-07-02 at 21:04 +0200, Enrico Bravi wrote:
> 
> > diff --git a/security/integrity/ima/ima_policy.c
> > b/security/integrity/ima/ima_policy.c
> > index a65b7e4b64d6..d6d249190705 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -591,6 +593,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
> >     switch (func) {
> >     case KEY_CHECK:
> >     case CRITICAL_DATA:
> > +   case POLICY_CHECK:
> >             return ((rule->func == func) &&
> >                     ima_match_rule_data(rule, func_data, cred));
> >     default:
> 
> Hi Enrico,
> 
> Unlike the other hooks, KEY_CHECK and CRITICAL_DATA are special cases, which
> only allow a set of keyrings or labels respectively.  POLICY_CHECK rules can
> be
> defined in terms of other file metadata (e.g. uid, gid, ...). With this
> change,
> any options specified on the rule will be not be matched.

Hi Mimi,

you're right.

> ima_match_rule_data() should only be called for buffer measurements, when
> there
> is no inode. 
> 
> +               return ((rule->func == func) && !inode &&
>                         ima_match_rule_data(rule, func_data, cred));

I was thinking that in this way, it would not trigger the measurement when
loading the policy from a file. If inode is not NULL, it directly returns false
instead of continuing. What do you thing of something like this:

        switch (func) {
+       case POLICY_CHECK:
+               if (inode)
+                       break;
+               fallthrough;
        case KEY_CHECK:
        case CRITICAL_DATA:
                return ((rule->func == func) &&
                        ima_match_rule_data(rule, func_data, cred));

> Otherwise the patch looks good.

Thank you,

Enrico

> Mimi

Reply via email to