From: Mimi Zohar <zohar@linux.ibm.com>
To: "Guozihua (Scott)" <guozihua@huawei.com>,
linux-integrity@vger.kernel.org, dmitry.kasatkin@gmail.com,
paul@paul-moore.com
Subject: Re: [PATCH] ima: Handle -ESTALE returned by ima_filter_rule_match()
Date: Thu, 25 Aug 2022 09:02:25 -0400 [thread overview]
Message-ID: <886d4588b9b6ab4e7dd903addf9809898defd6d9.camel@linux.ibm.com> (raw)
In-Reply-To: <61bc81bc-1b4a-3c08-6232-afc0d04decee@huawei.com>
On Wed, 2022-08-24 at 09:56 +0800, Guozihua (Scott) wrote:
> On 2022/8/24 9:26, Mimi Zohar wrote:
> > On Tue, 2022-08-23 at 21:28 +0800, Guozihua (Scott) wrote:
> >> On 2022/8/23 21:21, Mimi Zohar wrote:
> >>> On Tue, 2022-08-23 at 16:12 +0800, Guozihua (Scott) wrote:
> >>>>> The question is whether we're waiting for the SELinux policy to change
> >>>>> from ESTALE or whether it is the number of SELinux based IMA policy
> >>>>> rules or some combination of the two. Retrying three times seems to be
> >>>>> random. If SELinux waited for ESTALE to change, then it would only be
> >>>>> dependent on the time it took to update the SELinux based IMA policy
> >>>>> rules.
> >>>>
> >>>> We are waiting for ima_lsm_update_rules() to finish re-initializing all
> >>>> the LSM based rules.
> >>>
> >>> Fine. Hopefully retrying a maximum of 3 times is sufficient.
> >>>
> >> Well, at least this should greatly reduce the chance of this issue from
> >> happening.
> >
> > Agreed
> >
> >> This would be the best we I can think of without locking and
> >> busy waiting. Maybe we can also add delays before we retry. Maybe you
> >> got any other thought in mind?
> >
> > Another option would be to re-introduce the equivalent of the "lazy"
> > LSM update on -ESTALE, but without updating the policy rule, as the
> > notifier callback will eventually get to it.
> >
>
> For this to happen we would need a way to tell when we are able to
> continue with the retry though.
Previously with the lazy update, on failure security_filter_rule_init()
was called before the retry. To avoid locking or detecting when to
continue, another option would be to call to
security_filter_rule_init() with a local copy of the rule. The retry
would be based on a local copy of the rule.
Eventually the registered callback will complete, so we don't need to
be concerned about updating the actual rules.
--
thanks,
Mimi
next prev parent reply other threads:[~2022-08-25 13:02 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-18 2:05 [PATCH] ima: Handle -ESTALE returned by ima_filter_rule_match() GUO Zihua
2022-08-18 13:43 ` Mimi Zohar
2022-08-19 1:50 ` Guozihua (Scott)
2022-08-22 14:41 ` Mimi Zohar
2022-08-23 8:12 ` Guozihua (Scott)
2022-08-23 13:21 ` Mimi Zohar
2022-08-23 13:28 ` Guozihua (Scott)
2022-08-24 1:26 ` Mimi Zohar
2022-08-24 1:56 ` Guozihua (Scott)
2022-08-25 13:02 ` Mimi Zohar [this message]
2022-08-27 9:57 ` Guozihua (Scott)
2022-08-30 1:20 ` Mimi Zohar
2022-08-30 8:41 ` Guozihua (Scott)
2022-08-30 12:03 ` Mimi Zohar
2022-08-30 12:13 ` Guozihua (Scott)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=886d4588b9b6ab4e7dd903addf9809898defd6d9.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=guozihua@huawei.com \
--cc=linux-integrity@vger.kernel.org \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox