Brad Bishop | 15ae250 | 2019-06-18 21:44:24 -0400 | [diff] [blame^] | 1 | From 45ea681ebc0dd44aaec5d3cc4143b9722070d3ac Mon Sep 17 00:00:00 2001 |
| 2 | From: Mimi Zohar <zohar@linux.vnet.ibm.com> |
| 3 | Date: Tue, 8 Mar 2016 16:43:55 -0500 |
| 4 | Subject: [PATCH] ima: fix ima_inode_post_setattr |
| 5 | |
| 6 | Changing file metadata (eg. uid, guid) could result in having to |
| 7 | re-appraise a file's integrity, but does not change the "new file" |
| 8 | status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and |
| 9 | IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch |
| 10 | only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags. |
| 11 | |
| 12 | With this patch, changing the file timestamp will not remove the |
| 13 | file signature on new files. |
| 14 | |
| 15 | Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b] |
| 16 | |
| 17 | Reported-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com> |
| 18 | Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> |
| 19 | --- |
| 20 | security/integrity/ima/ima_appraise.c | 2 +- |
| 21 | security/integrity/integrity.h | 1 + |
| 22 | 2 files changed, 2 insertions(+), 1 deletion(-) |
| 23 | |
| 24 | diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c |
| 25 | index 4df493e..a384ba1 100644 |
| 26 | --- a/security/integrity/ima/ima_appraise.c |
| 27 | +++ b/security/integrity/ima/ima_appraise.c |
| 28 | @@ -327,7 +327,7 @@ void ima_inode_post_setattr(struct dentry *dentry) |
| 29 | if (iint) { |
| 30 | iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | |
| 31 | IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | |
| 32 | - IMA_ACTION_FLAGS); |
| 33 | + IMA_ACTION_RULE_FLAGS); |
| 34 | if (must_appraise) |
| 35 | iint->flags |= IMA_APPRAISE; |
| 36 | } |
| 37 | diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h |
| 38 | index 0fc9519..f9decae 100644 |
| 39 | --- a/security/integrity/integrity.h |
| 40 | +++ b/security/integrity/integrity.h |
| 41 | @@ -28,6 +28,7 @@ |
| 42 | |
| 43 | /* iint cache flags */ |
| 44 | #define IMA_ACTION_FLAGS 0xff000000 |
| 45 | +#define IMA_ACTION_RULE_FLAGS 0x06000000 |
| 46 | #define IMA_DIGSIG 0x01000000 |
| 47 | #define IMA_DIGSIG_REQUIRED 0x02000000 |
| 48 | #define IMA_PERMIT_DIRECTIO 0x04000000 |
| 49 | -- |
| 50 | 2.5.0 |
| 51 | |