Commit 3d54351c authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'lsm-pr-20240617' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm 

Pull lsm fix from Paul Moore:
 "A single LSM/IMA patch to fix a problem caused by sleeping while in a
  RCU critical section"

* tag 'lsm-pr-20240617' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm:
  ima: Avoid blocking in RCU read-side critical section
parents 14d7c92f 9a95c5bf

include/linux/lsm_hook_defs.h

+1 −1
Original line number Diff line number Diff line
@@ -413,7 +413,7 @@ LSM_HOOK(void, LSM_RET_VOID, key_post_create_or_update, struct key *keyring, 


#ifdef CONFIG_AUDIT

LSM_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr,

	 void **lsmrule)

	 void **lsmrule, gfp_t gfp)

LSM_HOOK(int, 0, audit_rule_known, struct audit_krule *krule)

LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule)

LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule)

include/linux/security.h

+3 −2
Original line number Diff line number Diff line
@@ -2048,7 +2048,8 @@ static inline void security_key_post_create_or_update(struct key *keyring, 


#ifdef CONFIG_AUDIT

#ifdef CONFIG_SECURITY

int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule);

int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule,

			     gfp_t gfp);

int security_audit_rule_known(struct audit_krule *krule);

int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule);

void security_audit_rule_free(void *lsmrule);
@@ -2056,7 +2057,7 @@ void security_audit_rule_free(void *lsmrule); 
#else



static inline int security_audit_rule_init(u32 field, u32 op, char *rulestr,

					   void **lsmrule)

					   void **lsmrule, gfp_t gfp)

{

	return 0;

}

kernel/auditfilter.c

+3 −2
Original line number Diff line number Diff line
@@ -529,7 +529,8 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data, 
			entry->rule.buflen += f_val;

			f->lsm_str = str;

			err = security_audit_rule_init(f->type, f->op, str,

						       (void **)&f->lsm_rule);

						       (void **)&f->lsm_rule,

						       GFP_KERNEL);

			/* Keep currently invalid fields around in case they

			 * become valid after a policy reload. */

			if (err == -EINVAL) {
@@ -799,7 +800,7 @@ static inline int audit_dupe_lsm_field(struct audit_field *df, 


	/* our own (refreshed) copy of lsm_rule */

	ret = security_audit_rule_init(df->type, df->op, df->lsm_str,

				       (void **)&df->lsm_rule);

				       (void **)&df->lsm_rule, GFP_KERNEL);

	/* Keep currently invalid fields around in case they

	 * become valid after a policy reload. */

	if (ret == -EINVAL) {

security/apparmor/audit.c

+3 −3
Original line number Diff line number Diff line
@@ -217,7 +217,7 @@ void aa_audit_rule_free(void *vrule) 
	}

}



int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)

int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp)

{

	struct aa_audit_rule *rule;
@@ -230,14 +230,14 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 
		return -EINVAL;

	}



	rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL);

	rule = kzalloc(sizeof(struct aa_audit_rule), gfp);



	if (!rule)

		return -ENOMEM;



	/* Currently rules are treated as coming from the root ns */

	rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,

				     GFP_KERNEL, true, false);

				     gfp, true, false);

	if (IS_ERR(rule->label)) {

		int err = PTR_ERR(rule->label);

		aa_audit_rule_free(rule);

security/apparmor/include/audit.h

+1 −1
Original line number Diff line number Diff line
@@ -200,7 +200,7 @@ static inline int complain_error(int error) 
}



void aa_audit_rule_free(void *vrule);

int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule);

int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp);

int aa_audit_rule_known(struct audit_krule *rule);

int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule);