ima: fix ima_inode_post_setattr

Changing file metadata (eg. uid, guid) could result in having to
re-appraise a file's integrity, but does not change the "new file"
status nor the security.ima xattr.  The IMA_PERMIT_DIRECTIO and
IMA_DIGSIG_REQUIRED flags are policy rule specific.  This patch
only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags.

With this patch, changing the file timestamp will not remove the
file signature on new files.

Reported-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Tested-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>

2 files changed, 2 insertions, 1 deletions

diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 6b4694aedae8..d2f28a0c8614 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -328,7 +328,7 @@ void ima_inode_post_setattr(struct dentry *dentry)
         if (iint) {
                 iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
                                  IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
-                                 IMA_ACTION_FLAGS);
+                                 IMA_ACTION_RULE_FLAGS);
                 if (must_appraise)
                         iint->flags |= IMA_APPRAISE;
         }
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index e08935cf343f..90bc57d796ec 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -28,6 +28,7 @@
 
 /* iint cache flags */
 #define IMA_ACTION_FLAGS        0xff000000
+#define IMA_ACTION_RULE_FLAGS   0x06000000
 #define IMA_DIGSIG              0x01000000
 #define IMA_DIGSIG_REQUIRED     0x02000000
 #define IMA_PERMIT_DIRECTIO     0x04000000