Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6035a27b authored Jun 08, 2018 by Al Viro

IMA: don't propagate opened through the entire thing



just check ->f_mode in ima_appraise_measurement()

Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

parent 73a09dd9

fs/namei.c

+1 −2

Original line number	Diff line number	Diff line
		@@ -3400,8 +3400,7 @@ static int do_last(struct nameidata *nd,
		if (error)
		goto out;
		opened:
		error = ima_file_check(file, op->acc_mode,
		file->f_mode & FMODE_CREATED ? FILE_CREATED : 0);
		error = ima_file_check(file, op->acc_mode);
		if (!error && will_truncate)
		error = handle_truncate(file);
		out:

fs/nfsd/vfs.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -763,7 +763,7 @@ nfsd_open(struct svc_rqst rqstp, struct svc_fh fhp, umode_t type,
		goto out_nfserr;
		}

		host_err = ima_file_check(file, may_flags, 0);
		host_err = ima_file_check(file, may_flags);
		if (host_err) {
		fput(file);
		goto out_nfserr;

include/linux/ima.h

+2 −2

Original line number	Diff line number	Diff line
		@@ -16,7 +16,7 @@ struct linux_binprm;

		#ifdef CONFIG_IMA
		extern int ima_bprm_check(struct linux_binprm *bprm);
		extern int ima_file_check(struct file *file, int mask, int opened);
		extern int ima_file_check(struct file *file, int mask);
		extern void ima_file_free(struct file *file);
		extern int ima_file_mmap(struct file *file, unsigned long prot);
		extern int ima_read_file(struct file *file, enum kernel_read_file_id id);
		@@ -34,7 +34,7 @@ static inline int ima_bprm_check(struct linux_binprm *bprm)
		return 0;
		}

		static inline int ima_file_check(struct file *file, int mask, int opened)
		static inline int ima_file_check(struct file *file, int mask)
		{
		return 0;
		}

security/integrity/ima/ima.h

+2 −2

Original line number	Diff line number	Diff line
		@@ -238,7 +238,7 @@ int ima_appraise_measurement(enum ima_hooks func,
		struct integrity_iint_cache *iint,
		struct file file, const unsigned char filename,
		struct evm_ima_xattr_data *xattr_value,
		int xattr_len, int opened);
		int xattr_len);
		int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func);
		void ima_update_xattr(struct integrity_iint_cache iint, struct file file);
		enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
		@@ -254,7 +254,7 @@ static inline int ima_appraise_measurement(enum ima_hooks func,
		struct file *file,
		const unsigned char *filename,
		struct evm_ima_xattr_data *xattr_value,
		int xattr_len, int opened)
		int xattr_len)
		{
		return INTEGRITY_UNKNOWN;
		}

security/integrity/ima/ima_appraise.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -212,7 +212,7 @@ int ima_appraise_measurement(enum ima_hooks func,
		struct integrity_iint_cache *iint,
		struct file file, const unsigned char filename,
		struct evm_ima_xattr_data *xattr_value,
		int xattr_len, int opened)
		int xattr_len)
		{
		static const char op[] = "appraise_data";
		const char *cause = "unknown";
		@@ -231,7 +231,7 @@ int ima_appraise_measurement(enum ima_hooks func,
		cause = iint->flags & IMA_DIGSIG_REQUIRED ?
		"IMA-signature-required" : "missing-hash";
		status = INTEGRITY_NOLABEL;
		if (opened & FILE_CREATED)
		if (file->f_mode & FMODE_CREATED)
		iint->flags \|= IMA_NEW_FILE;
		if ((iint->flags & IMA_NEW_FILE) &&
		(!(iint->flags & IMA_DIGSIG_REQUIRED) \|\|