Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c68ed80c authored by Dmitry Kasatkin's avatar Dmitry Kasatkin Committed by Mimi Zohar
Browse files

ima: limit file hash setting by user to fix and log modes 



File hashes are automatically set and updated and should not be
manually set. This patch limits file hash setting to fix and log
modes.

Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
parent cd025f7f

security/integrity/ima/ima_appraise.c

+6 −2
Original line number Diff line number Diff line
@@ -378,10 +378,14 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, 
	result = ima_protect_xattr(dentry, xattr_name, xattr_value,

				   xattr_value_len);

	if (result == 1) {

		bool digsig;



		if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))

			return -EINVAL;

		ima_reset_appraise_flags(d_backing_inode(dentry),

			 (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0);

		digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);

		if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE))

			return -EPERM;

		ima_reset_appraise_flags(d_backing_inode(dentry), digsig);

		result = 0;

	}

	return result;