~hc/RK356X_SDK_RELEASE.git

..	..	@@ -370,12 +370,6 @@
370	370
371	371	nentry->lsm[i].type = entry->lsm[i].type;
372	372	nentry->lsm[i].args_p = entry->lsm[i].args_p;
373		- /*
374		- * Remove the reference from entry so that the associated
375		- * memory will not be freed during a later call to
376		- * ima_lsm_free_rule(entry).
377		- */
378		- entry->lsm[i].args_p = NULL;
379	373
380	374	ima_filter_rule_init(nentry->lsm[i].type, Audit_equal,
381	375	nentry->lsm[i].args_p,
..	..	@@ -389,6 +383,7 @@
389	383
390	384	static int ima_lsm_update_rule(struct ima_rule_entry *entry)
391	385	{
	386	+ int i;
392	387	struct ima_rule_entry *nentry;
393	388
394	389	nentry = ima_lsm_copy_rule(entry);
..	..	@@ -403,7 +398,8 @@
403	398	* references and the entry itself. All other memory refrences will now
404	399	* be owned by nentry.
405	400	*/
406		- ima_lsm_free_rule(entry);
	401	+ for (i = 0; i < MAX_LSM_RULES; i++)
	402	+ ima_filter_rule_free(entry->lsm[i].rule);
407	403	kfree(entry);
408	404
409	405	return 0;
..	..	@@ -503,6 +499,9 @@
503	499	const char *keyring)
504	500	{
505	501	int i;
	502	+ bool result = false;
	503	+ struct ima_rule_entry *lsm_rule = rule;
	504	+ bool rule_reinitialized = false;
506	505
507	506	if (func == KEY_CHECK) {
508	507	return (rule->flags & IMA_FUNC) && (rule->func == func) &&
..	..	@@ -545,34 +544,55 @@
545	544	int rc = 0;
546	545	u32 osid;
547	546
548		- if (!rule->lsm[i].rule) {
549		- if (!rule->lsm[i].args_p)
	547	+ if (!lsm_rule->lsm[i].rule) {
	548	+ if (!lsm_rule->lsm[i].args_p)
550	549	continue;
551	550	else
552	551	return false;
553	552	}
	553	+
	554	+retry:
554	555	switch (i) {
555	556	case LSM_OBJ_USER:
556	557	case LSM_OBJ_ROLE:
557	558	case LSM_OBJ_TYPE:
558	559	security_inode_getsecid(inode, &osid);
559		- rc = ima_filter_rule_match(osid, rule->lsm[i].type,
	560	+ rc = ima_filter_rule_match(osid, lsm_rule->lsm[i].type,
560	561	Audit_equal,
561		- rule->lsm[i].rule);
	562	+ lsm_rule->lsm[i].rule);
562	563	break;
563	564	case LSM_SUBJ_USER:
564	565	case LSM_SUBJ_ROLE:
565	566	case LSM_SUBJ_TYPE:
566		- rc = ima_filter_rule_match(secid, rule->lsm[i].type,
	567	+ rc = ima_filter_rule_match(secid, lsm_rule->lsm[i].type,
567	568	Audit_equal,
568		- rule->lsm[i].rule);
	569	+ lsm_rule->lsm[i].rule);
	570	+ break;
569	571	default:
570	572	break;
571	573	}
572		- if (!rc)
573		- return false;
	574	+
	575	+ if (rc == -ESTALE && !rule_reinitialized) {
	576	+ lsm_rule = ima_lsm_copy_rule(rule);
	577	+ if (lsm_rule) {
	578	+ rule_reinitialized = true;
	579	+ goto retry;
	580	+ }
	581	+ }
	582	+ if (!rc) {
	583	+ result = false;
	584	+ goto out;
	585	+ }
574	586	}
575		- return true;
	587	+ result = true;
	588	+
	589	+out:
	590	+ if (rule_reinitialized) {
	591	+ for (i = 0; i < MAX_LSM_RULES; i++)
	592	+ ima_filter_rule_free(lsm_rule->lsm[i].rule);
	593	+ kfree(lsm_rule);
	594	+ }
	595	+ return result;
576	596	}
577	597
578	598	/*
..	..	@@ -608,6 +628,7 @@
608	628	* @secid: LSM secid of the task to be validated
609	629	* @func: IMA hook identifier
610	630	* @mask: requested action (MAY_READ \| MAY_WRITE \| MAY_APPEND \| MAY_EXEC)
	631	+ * @flags: IMA actions to consider (e.g. IMA_MEASURE \| IMA_APPRAISE)
611	632	* @pcr: set the pcr to extend
612	633	* @template_desc: the template that should be used for this rule
613	634	* @keyring: the keyring name, if given, to be used to check in the policy.
..	..	@@ -802,6 +823,7 @@
802	823	add_rules(default_measurement_rules,
803	824	ARRAY_SIZE(default_measurement_rules),
804	825	IMA_DEFAULT_POLICY);
	826	+ break;
805	827	default:
806	828	break;
807	829	}
..	..	@@ -1494,7 +1516,7 @@
1494	1516
1495	1517	/**
1496	1518	* ima_parse_add_rule - add a rule to ima_policy_rules
1497		- * @rule - ima measurement policy rule
	1519	+ * @rule: ima measurement policy rule
1498	1520	*
1499	1521	* Avoid locking by allowing just one writer at a time in ima_write_policy()
1500	1522	* Returns the length of the rule parsed, an error code on failure