CVE-2025-68740

In the Linux kernel, the following vulnerability has been resolved:

ima: Handle error code returned by imafilterrule_match()

In imamatchrules(), if imafilterrule_match() returns -ENOENT due to the rule being NULL, the function incorrectly skips the 'if (!rc)' check and sets 'result = true'. The LSM rule is considered a match, causing extra files to be measured by IMA.

This issue can be reproduced in the following scenario: After unloading the SELinux policy module via 'semodule -d', if an IMA measurement is triggered before imalsmrules is updated, in imamatchrules(), the first call to imafilterrulematch() returns -ESTALE. This causes the code to enter the 'if (rc == -ESTALE && !rulereinitialized)' block, perform imalsmcopyrule() and retry. In imalsmcopyrule(), since the SELinux module has been removed, the rule becomes NULL, and the second call to imafilterrule_match() returns -ENOENT. This bypasses the 'if (!rc)' check and results in a false match.

Call trace: selinuxauditrulematch+0x310/0x3b8 securityauditrulematch+0x60/0xa0 imamatchrules+0x2e4/0x4a0 imamatchpolicy+0x9c/0x1e8 imagetaction+0x48/0x60 processmeasurement+0xf8/0xa98 imabprmcheck+0x98/0xd8 securitybprmcheck+0x5c/0x78 searchbinaryhandler+0x6c/0x318 execbinprm+0x58/0x1b8 bprmexecve+0xb8/0x130 doexecveat_common.isra.0+0x1a8/0x258 _arm64sysexecve+0x48/0x68 invokesyscall+0x50/0x128 el0svccommon.constprop.0+0xc8/0xf0 doel0svc+0x24/0x38 el0svc+0x44/0x200 el0t64synchandler+0x100/0x130 el0t64sync+0x3c8/0x3d0

Fix this by changing 'if (!rc)' to 'if (rc <= 0)' to ensure that error codes like -ENOENT do not bypass the check and accidentally result in a successful match.