Menu
▾
▴
[Linux-ima-user] [PATCH] ima: fix ima_inode_post_setattr
|
From: Mimi Z. <zo...@li...> - 2016-03-01 03:00:31
|
Changing file metadata (eg. uid, guid) could result in having to
re-appraise a file's integrity, but does not change the "new file"
status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and
IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch
only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags.
With this patch, changing the file timestamp will not remove the
file signature on new files.
Reported-by: Dmitry Rozhkov <dmi...@li...>
Signed-off-by: Mimi Zohar <zo...@li...>
---
security/integrity/ima/ima_appraise.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 6b4694a..e304e3a 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -328,7 +328,7 @@ void ima_inode_post_setattr(struct dentry *dentry)
if (iint) {
iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
- IMA_ACTION_FLAGS);
+ IMA_PERMIT_DIRECTIO | IMA_DIGSIG_REQUIRED);
if (must_appraise)
iint->flags |= IMA_APPRAISE;
}
--
2.1.0
|
