Commit 42a4c603 authored Feb 29, 2016 by Mimi Zohar

ima: fix ima_inode_post_setattr



Changing file metadata (eg. uid, guid) could result in having to
re-appraise a file's integrity, but does not change the "new file"
status nor the security.ima xattr.  The IMA_PERMIT_DIRECTIO and
IMA_DIGSIG_REQUIRED flags are policy rule specific.  This patch
only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags.

With this patch, changing the file timestamp will not remove the
file signature on new files.

Reported-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Tested-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>

parent 39d637af

security/integrity/ima/ima_appraise.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -328,7 +328,7 @@ void ima_inode_post_setattr(struct dentry *dentry)
		if (iint) {
		iint->flags &= ~(IMA_APPRAISE \| IMA_APPRAISED \|
		IMA_APPRAISE_SUBMASK \| IMA_APPRAISED_SUBMASK \|
		IMA_ACTION_FLAGS);
		IMA_ACTION_RULE_FLAGS);
		if (must_appraise)
		iint->flags \|= IMA_APPRAISE;
		}

security/integrity/integrity.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -28,6 +28,7 @@

		/* iint cache flags */
		#define IMA_ACTION_FLAGS 0xff000000
		#define IMA_ACTION_RULE_FLAGS 0x06000000
		#define IMA_DIGSIG 0x01000000
		#define IMA_DIGSIG_REQUIRED 0x02000000
		#define IMA_PERMIT_DIRECTIO 0x04000000