Commit 42a4c603 authored by Mimi Zohar's avatar Mimi Zohar

ima: fix ima_inode_post_setattr

Changing file metadata (eg. uid, guid) could result in having to
re-appraise a file's integrity, but does not change the "new file"
status nor the security.ima xattr.  The IMA_PERMIT_DIRECTIO and
IMA_DIGSIG_REQUIRED flags are policy rule specific.  This patch
only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags.

With this patch, changing the file timestamp will not remove the
file signature on new files.
Reported-by: default avatarDmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
Tested-by: default avatarDmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
parent 39d637af
...@@ -328,7 +328,7 @@ void ima_inode_post_setattr(struct dentry *dentry) ...@@ -328,7 +328,7 @@ void ima_inode_post_setattr(struct dentry *dentry)
if (iint) { if (iint) {
iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
IMA_ACTION_FLAGS); IMA_ACTION_RULE_FLAGS);
if (must_appraise) if (must_appraise)
iint->flags |= IMA_APPRAISE; iint->flags |= IMA_APPRAISE;
} }
......
...@@ -28,6 +28,7 @@ ...@@ -28,6 +28,7 @@
/* iint cache flags */ /* iint cache flags */
#define IMA_ACTION_FLAGS 0xff000000 #define IMA_ACTION_FLAGS 0xff000000
#define IMA_ACTION_RULE_FLAGS 0x06000000
#define IMA_DIGSIG 0x01000000 #define IMA_DIGSIG 0x01000000
#define IMA_DIGSIG_REQUIRED 0x02000000 #define IMA_DIGSIG_REQUIRED 0x02000000
#define IMA_PERMIT_DIRECTIO 0x04000000 #define IMA_PERMIT_DIRECTIO 0x04000000
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment