ipe: return -ESTALE instead of -EINVAL on update when new policy has a lower version

bluca · jxwufan · commit 579941899db4 · 2024-10-17T11:37:13.000-07:00
When loading policies in userspace we want a recognizable error when an
update attempts to use an old policy, as that is an error that needs
to be treated differently from an invalid policy. Use -ESTALE as it is
clear enough for an update mechanism.

Signed-off-by: Luca Boccassi &lt;bluca@debian.org&gt;
Reviewed-by: Serge Hallyn &lt;serge@hallyn.com&gt;
Signed-off-by: Fan Wu &lt;wufan@kernel.org&gt;
diff --git a/security/ipe/policy.c b/security/ipe/policy.c
@@ -107,7 +107,7 @@ int ipe_update_policy(struct inode *root, const char *text, size_t textlen,
 	}
 
 	if (ver_to_u64(old) > ver_to_u64(new)) {
-		rc = -EINVAL;
+		rc = -ESTALE;
 		goto err;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -107,7 +107,7 @@ int ipe_update_policy(struct inode root, const char text, size_t textlen,`
`107`	`107`	`}`
`108`	`108`
`109`	`109`	`if (ver_to_u64(old) > ver_to_u64(new)) {`
`110`		`- rc = -EINVAL;`
	`110`	`+ rc = -ESTALE;`
`111`	`111`	`goto err;`
`112`	`112`	`}`
`113`	`113`