Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a175b8bb authored by Dmitry Kasatkin's avatar Dmitry Kasatkin Committed by Mimi Zohar
Browse files

ima: forbid write access to files with digital signatures 



This patch forbids write access to files with digital signatures, as they
are considered immutable.

Signed-off-by: default avatarDmitry Kasatkin <dmitry.kasatkin@intel.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
parent ea1046d4

security/integrity/ima/ima_main.c

+5 −2
Original line number Diff line number Diff line
@@ -175,12 +175,12 @@ static int process_measurement(struct file *file, const char *filename, 
	if (!action) {

		if (iint->flags & IMA_APPRAISED)

			rc = iint->ima_status;

		goto out;

		goto out_digsig;

	}



	rc = ima_collect_measurement(iint, file);

	if (rc != 0)

		goto out;

		goto out_digsig;



	if (function != BPRM_CHECK)

		pathname = ima_d_path(&file->f_path, &pathbuf);
@@ -195,6 +195,9 @@ static int process_measurement(struct file *file, const char *filename, 
	if (action & IMA_AUDIT)

		ima_audit_measurement(iint, pathname);

	kfree(pathbuf);

out_digsig:

	if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG))

		rc = -EACCES;

out:

	mutex_unlock(&inode->i_mutex);

	if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE))