Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized

[RFC PATCH 1/2] ima: don't access a file's integrity status before an IMA policy is loaded · Mimi Zohar <zohar@linux.ibm.com> · 2021-03-19
[RFC PATCH 2/2] integrity: double check iint_cache was initialized · Mimi Zohar <zohar@linux.ibm.com> · 2021-03-19
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized · Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> · 2021-03-22
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized · Dmitry Vyukov <dvyukov@google.com> · 2021-03-22
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized · Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> · 2021-03-23
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized · Mimi Zohar <zohar@linux.ibm.com> · 2021-03-23
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized · Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> · 2021-03-23
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized · Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> · 2021-03-23
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized · Mimi Zohar <zohar@linux.ibm.com> · 2021-03-23
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized · Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> · 2021-03-23
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized · Mimi Zohar <zohar@linux.ibm.com> · 2021-03-23
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized · Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> · 2021-03-24
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized · Mimi Zohar <zohar@linux.ibm.com> · 2021-03-24
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized · Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> · 2021-03-24
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized · Dmitry Vyukov <dvyukov@google.com> · 2021-03-24
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized · Mimi Zohar <zohar@linux.ibm.com> · 2021-03-24
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized · Dmitry Vyukov <dvyukov@google.com> · 2021-03-24
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized · Mimi Zohar <zohar@linux.ibm.com> · 2021-03-24
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized · Casey Schaufler <casey@schaufler-ca.com> · 2021-03-24

From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Date: 2021-03-23 01:47:50
Also in: linux-security-module, lkml

On 2021/03/20 5:03, Mimi Zohar wrote:

The integrity's "iint_cache" is initialized at security_init().  Only
after an IMA policy is loaded, which is initialized at late_initcall,
is a file's integrity status stored in the "iint_cache".

All integrity_inode_get() callers first verify that the IMA policy has
been loaded, before calling it.  Yet for some reason, it is still being
called, causing a NULL pointer dereference.

qemu-system-x86_64 (...snipped...) lsm=smack (...snipped...)

Hmm, why are you using lsm=smack instead of security=smack ?
Since use of lsm= overrides CONFIG_LSM="lockdown,yama,safesetid,integrity,tomoyo,smack,bpf" settings,
only smack is activated, which means that integrity_iintcache_init() will not be called by

  DEFINE_LSM(integrity) = {
  	.name = "integrity",
  	.init = integrity_iintcache_init,
  };

declaration. That's the reason iint_cache == NULL when integrity_inode_get() is called.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help