Blame - meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch - openbmc/openbmc

blob: 64016dd3e08dab339590fac11c915fa9dc66d541 [file] [log] [blame]

Brad Bishop	15ae250	2019-06-18 21:44:24 -0400	[diff] [blame^]	1	From 45ea681ebc0dd44aaec5d3cc4143b9722070d3ac Mon Sep 17 00:00:00 2001
				2	From: Mimi Zohar <zohar@linux.vnet.ibm.com>
				3	Date: Tue, 8 Mar 2016 16:43:55 -0500
				4	Subject: [PATCH] ima: fix ima_inode_post_setattr
				5
				6	Changing file metadata (eg. uid, guid) could result in having to
				7	re-appraise a file's integrity, but does not change the "new file"
				8	status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and
				9	IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch
				10	only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags.
				11
				12	With this patch, changing the file timestamp will not remove the
				13	file signature on new files.
				14
				15	Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b]
				16
				17	Reported-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
				18	Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
				19	---
				20	security/integrity/ima/ima_appraise.c \| 2 +-
				21	security/integrity/integrity.h \| 1 +
				22	2 files changed, 2 insertions(+), 1 deletion(-)
				23
				24	diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
				25	index 4df493e..a384ba1 100644
				26	--- a/security/integrity/ima/ima_appraise.c
				27	+++ b/security/integrity/ima/ima_appraise.c
				28	@@ -327,7 +327,7 @@ void ima_inode_post_setattr(struct dentry *dentry)
				29	if (iint) {
				30	iint->flags &= ~(IMA_APPRAISE \| IMA_APPRAISED \|
				31	IMA_APPRAISE_SUBMASK \| IMA_APPRAISED_SUBMASK \|
				32	- IMA_ACTION_FLAGS);
				33	+ IMA_ACTION_RULE_FLAGS);
				34	if (must_appraise)
				35	iint->flags \|= IMA_APPRAISE;
				36	}
				37	diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
				38	index 0fc9519..f9decae 100644
				39	--- a/security/integrity/integrity.h
				40	+++ b/security/integrity/integrity.h
				41	@@ -28,6 +28,7 @@
				42
				43	/* iint cache flags */
				44	#define IMA_ACTION_FLAGS 0xff000000
				45	+#define IMA_ACTION_RULE_FLAGS 0x06000000
				46	#define IMA_DIGSIG 0x01000000
				47	#define IMA_DIGSIG_REQUIRED 0x02000000
				48	#define IMA_PERMIT_DIRECTIO 0x04000000
				49	--
				50	2.5.0
				51