ipe: also reject policy updates with the same version

Currently IPE accepts an update that has the same version as the policy being updated, but it doesn't make it a no-op nor it checks that the old and new policyes are the same. So it is possible to change the content of a policy, without changing its version. This is very confusing from userspace when managing policies. Instead change the update logic to reject updates that have the same version with ESTALE, as that is much clearer and intuitive behaviour. Signed-off-by: Luca Boccassi <bluca@debian.org> Reviewed-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: Fan Wu <wufan@kernel.org>
author: Luca Boccassi <bluca@debian.org> 2024-09-25 23:01:34 +0200
committer: Fan Wu <wufan@kernel.org> 2024-10-17 20:38:15 +0200
commit: 5ceecb301e50e933c1e621fbeea5ec239fbff858 (patch)
tree: 247901761294b4c0112c1d714b813ebae4e6b26e /security/ipe/policy.c
parent: ipe: return -ESTALE instead of -EINVAL on update when new policy has a lower ... (diff)
download: linux-5ceecb301e50e933c1e621fbeea5ec239fbff858.tar.xz
linux-5ceecb301e50e933c1e621fbeea5ec239fbff858.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/security/ipe/policy.c b/security/ipe/policy.c
index dcaac8c4bb38..4cea067adf6a 100644
--- a/security/ipe/policy.c
+++ b/security/ipe/policy.c
@@ -106,7 +106,7 @@ int ipe_update_policy(struct inode *root, const char *text, size_t textlen,
 		goto err;
 	}
 
-	if (ver_to_u64(old) > ver_to_u64(new)) {
+	if (ver_to_u64(old) >= ver_to_u64(new)) {
 		rc = -ESTALE;
 		goto err;
 	}
author	Luca Boccassi <bluca@debian.org>	2024-09-25 23:01:34 +0200
committer	Fan Wu <wufan@kernel.org>	2024-10-17 20:38:15 +0200
commit	5ceecb301e50e933c1e621fbeea5ec239fbff858 (patch)
tree	247901761294b4c0112c1d714b813ebae4e6b26e /security/ipe/policy.c
parent	ipe: return -ESTALE instead of -EINVAL on update when new policy has a lower ... (diff)
download	linux-5ceecb301e50e933c1e621fbeea5ec239fbff858.tar.xz linux-5ceecb301e50e933c1e621fbeea5ec239fbff858.zip