On Thu, 2026-07-02 at 21:04 +0200, Enrico Bravi wrote:

> diff --git a/security/integrity/ima/ima_policy.c 
> b/security/integrity/ima/ima_policy.c
> index a65b7e4b64d6..d6d249190705 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -591,6 +593,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
>       switch (func) {
>       case KEY_CHECK:
>       case CRITICAL_DATA:
> +     case POLICY_CHECK:
>               return ((rule->func == func) &&
>                       ima_match_rule_data(rule, func_data, cred));
>       default:

Hi Enrico,

Unlike the other hooks, KEY_CHECK and CRITICAL_DATA are special cases, which
only allow a set of keyrings or labels respectively.  POLICY_CHECK rules can be
defined in terms of other file metadata (e.g. uid, gid, ...). With this change,
any options specified on the rule will be not be matched.

ima_match_rule_data() should only be called for buffer measurements, when there
is no inode. 

+               return ((rule->func == func) && !inode &&
                        ima_match_rule_data(rule, func_data, cred));

Otherwise the patch looks good.

Mimi

Reply via email to