summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorTyler Hicks <tyhicks@linux.microsoft.com>2022-09-30 15:49:35 +0800
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2022-10-05 10:36:44 +0200
commit7e290764624acfc807a9dae958b3e4ecc550b50c (patch)
treea9d123f52817c9eb64d3eca51ae775a835e9aac7 /security
parentacf4387e553ede843bdacf3616e4b750517b58db (diff)
downloadlinux-stable-7e290764624acfc807a9dae958b3e4ecc550b50c.tar.gz
linux-stable-7e290764624acfc807a9dae958b3e4ecc550b50c.tar.bz2
linux-stable-7e290764624acfc807a9dae958b3e4ecc550b50c.zip
ima: Have the LSM free its audit rule
commit 9ff8a616dfab96a4fa0ddd36190907dc68886d9b upstream. Ask the LSM to free its audit rule rather than directly calling kfree(). Both AppArmor and SELinux do additional work in their audit_rule_free() hooks. Fix memory leaks by allowing the LSMs to perform necessary work. Fixes: b16942455193 ("ima: use the lsm policy update notifier") Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com> Cc: Janne Karhunen <janne.karhunen@gmail.com> Cc: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Cc: <stable@vger.kernel.org> # 4.19+ Signed-off-by: Gou Hao <gouhao@uniontech.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'security')
-rw-r--r--security/integrity/ima/ima.h5
-rw-r--r--security/integrity/ima/ima_policy.c4
2 files changed, 8 insertions, 1 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index d12b07eb3a58..e2916b115b93 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -298,6 +298,7 @@ static inline int ima_read_xattr(struct dentry *dentry,
#ifdef CONFIG_IMA_LSM_RULES
#define security_filter_rule_init security_audit_rule_init
+#define security_filter_rule_free security_audit_rule_free
#define security_filter_rule_match security_audit_rule_match
#else
@@ -308,6 +309,10 @@ static inline int security_filter_rule_init(u32 field, u32 op, char *rulestr,
return -EINVAL;
}
+static inline void security_filter_rule_free(void *lsmrule)
+{
+}
+
static inline int security_filter_rule_match(u32 secid, u32 field, u32 op,
void *lsmrule,
struct audit_context *actx)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 2d5a3daa02f9..733efc06d3c1 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1044,8 +1044,10 @@ void ima_delete_rules(void)
temp_ima_appraise = 0;
list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
- for (i = 0; i < MAX_LSM_RULES; i++)
+ for (i = 0; i < MAX_LSM_RULES; i++) {
+ security_filter_rule_free(entry->lsm[i].rule);
kfree(entry->lsm[i].args_p);
+ }
list_del(&entry->list);
kfree(entry);
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-21 12:01:56 +0000