Menu
▾
▴
Re: [Linux-ima-user] IMA overwrites xattr even if it has got correct signature
|
From: Mimi Z. <zo...@li...> - 2016-02-25 16:09:47
|
On Thu, 2016-02-25 at 15:29 +0200, Dmitry Rozhkov wrote: > On Thu, 2016-02-25 at 07:43 -0500, Mimi Zohar wrote: > > > > If security.ima isn't being written because the file is not in policy, > > that is a different problem. Perhaps try writing a file that is in the > > IMA-appraisal policy. > > Didn't get it. The file is in the IMA-appraisal policy. > > AFAIU upon file closing ima_inode_setxattr() > calls ima_reset_appraise_flags() where IMA_DIGSIG is supposed to be > set. But right before setting the flag there's the condition > > iint = integrity_iint_find(inode); > if (!iint) > return; > > which is true for newly created (and never closed yet) files. There needs to be a FILE_CHECK rule for the iint to be created for a new file. Mimi |
