Menu
▾
▴
Re: [Linux-ima-user] [PATCH] ima: fix ima_inode_post_setattr
|
From: Dmitry R. <dmi...@li...> - 2016-03-02 10:45:05
|
Hi!
I can confirm the original bsdtar unpacks archives correctly with this
patch applied to the kernel, the security.ima attribute doesn't get
overwritten by IMA. Thanks!
BR,
Dmitry
On Mon, 2016-02-29 at 22:00 -0500, Mimi Zohar wrote:
> Changing file metadata (eg. uid, guid) could result in having to
> re-appraise a file's integrity, but does not change the "new file"
> status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and
> IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch
> only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags.
>
> With this patch, changing the file timestamp will not remove the
> file signature on new files.
>
> Reported-by: Dmitry Rozhkov <dmi...@li...>
> Signed-off-by: Mimi Zohar <zo...@li...>
> ---
> security/integrity/ima/ima_appraise.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/integrity/ima/ima_appraise.c
> b/security/integrity/ima/ima_appraise.c
> index 6b4694a..e304e3a 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -328,7 +328,7 @@ void ima_inode_post_setattr(struct dentry
> *dentry)
> if (iint) {
> iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
> IMA_APPRAISE_SUBMASK |
> IMA_APPRAISED_SUBMASK |
> - IMA_ACTION_FLAGS);
> + IMA_PERMIT_DIRECTIO |
> IMA_DIGSIG_REQUIRED);
> if (must_appraise)
> iint->flags |= IMA_APPRAISE;
> }
|
