aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLuca Boccassi2024-09-25 23:01:34 +0200
committerFan Wu2024-10-17 11:38:15 -0700
commit5ceecb301e50e933c1e621fbeea5ec239fbff858 (patch)
tree247901761294b4c0112c1d714b813ebae4e6b26e
parent579941899db4f972507df3bf783518e606bb095a (diff)
ipe: also reject policy updates with the same version
Currently IPE accepts an update that has the same version as the policy being updated, but it doesn't make it a no-op nor it checks that the old and new policyes are the same. So it is possible to change the content of a policy, without changing its version. This is very confusing from userspace when managing policies. Instead change the update logic to reject updates that have the same version with ESTALE, as that is much clearer and intuitive behaviour. Signed-off-by: Luca Boccassi <bluca@debian.org> Reviewed-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: Fan Wu <wufan@kernel.org>
-rw-r--r--Documentation/admin-guide/LSM/ipe.rst2
-rw-r--r--security/ipe/policy.c2
2 files changed, 2 insertions, 2 deletions
diff --git a/Documentation/admin-guide/LSM/ipe.rst b/Documentation/admin-guide/LSM/ipe.rst
index f38e641df0e9..fcb3c493104b 100644
--- a/Documentation/admin-guide/LSM/ipe.rst
+++ b/Documentation/admin-guide/LSM/ipe.rst
@@ -266,7 +266,7 @@ in the kernel. This file is write-only and accepts a PKCS#7 signed
policy. Two checks will always be performed on this policy: First, the
``policy_names`` must match with the updated version and the existing
version. Second the updated policy must have a policy version greater than
-or equal to the currently-running version. This is to prevent rollback attacks.
+the currently-running version. This is to prevent rollback attacks.
The ``delete`` file is used to remove a policy that is no longer needed.
This file is write-only and accepts a value of ``1`` to delete the policy.
diff --git a/security/ipe/policy.c b/security/ipe/policy.c
index dcaac8c4bb38..4cea067adf6a 100644
--- a/security/ipe/policy.c
+++ b/security/ipe/policy.c
@@ -106,7 +106,7 @@ int ipe_update_policy(struct inode *root, const char *text, size_t textlen,
goto err;
}
- if (ver_to_u64(old) > ver_to_u64(new)) {
+ if (ver_to_u64(old) >= ver_to_u64(new)) {
rc = -ESTALE;
goto err;
}