1 files changed, 25 insertions, 27 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 2917f980bf30..673a37e92ba3 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -124,11 +124,13 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
                return;
        mutex_lock(&inode->i_mutex);
-        if (atomic_read(&inode->i_writecount) == 1 &&
+        if (atomic_read(&inode->i_writecount) == 1) {
-            iint->version != inode->i_version) {
+                if ((iint->version != inode->i_version) ||
-                iint->flags &= ~IMA_DONE_MASK;
+                    (iint->flags & IMA_NEW_FILE)) {
-                if (iint->flags & IMA_APPRAISE)
+                        iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
-                        ima_update_xattr(iint, file);
+                        if (iint->flags & IMA_APPRAISE)
+                                ima_update_xattr(iint, file);
+                }
        }
        mutex_unlock(&inode->i_mutex);
 }
@@ -154,15 +156,15 @@ void ima_file_free(struct file *file)
        ima_check_last_writer(iint, inode, file);
 }
-static int process_measurement(struct file *file, const char *filename,
+static int process_measurement(struct file *file, int mask, int function,
-                               int mask, int function)
+                               int opened)
 {
        struct inode *inode = file_inode(file);
        struct integrity_iint_cache *iint;
        struct ima_template_desc *template_desc;
        char *pathbuf = NULL;
        const char *pathname = NULL;
-        int rc = -ENOMEM, action, must_appraise, _func;
+        int rc = -ENOMEM, action, must_appraise;
        struct evm_ima_xattr_data *xattr_value = NULL, **xattr_ptr = NULL;
        int xattr_len = 0;
@@ -180,7 +182,8 @@ static int process_measurement(struct file *file, const char *filename,
        must_appraise = action & IMA_APPRAISE;
        /*  Is the appraise rule hook specific?  */
-        _func = (action & IMA_FILE_APPRAISE) ? FILE_CHECK : function;
+        if (action & IMA_FILE_APPRAISE)
+                function = FILE_CHECK;
        mutex_lock(&inode->i_mutex);
@@ -199,15 +202,13 @@ static int process_measurement(struct file *file, const char *filename,
        /* Nothing to do, just return existing appraised status */
        if (!action) {
                if (must_appraise)
-                        rc = ima_get_cache_status(iint, _func);
+                        rc = ima_get_cache_status(iint, function);
                goto out_digsig;
        }
        template_desc = ima_template_desc_current();
-        if (strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) == 0) {
+        if ((action & IMA_APPRAISE_SUBMASK) ||
-                if (action & IMA_APPRAISE_SUBMASK)
+                    strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0)
-                        xattr_ptr = &xattr_value;
-        } else
                xattr_ptr = &xattr_value;
        rc = ima_collect_measurement(iint, file, xattr_ptr, &xattr_len);
@@ -217,14 +218,14 @@ static int process_measurement(struct file *file, const char *filename,
                goto out_digsig;
        }
-        pathname = filename ?: ima_d_path(&file->f_path, &pathbuf);
+        pathname = ima_d_path(&file->f_path, &pathbuf);
        if (action & IMA_MEASURE)
                ima_store_measurement(iint, file, pathname,
                                      xattr_value, xattr_len);
        if (action & IMA_APPRAISE_SUBMASK)
-                rc = ima_appraise_measurement(_func, iint, file, pathname,
+                rc = ima_appraise_measurement(function, iint, file, pathname,
-                                              xattr_value, xattr_len);
+                                              xattr_value, xattr_len, opened);
        if (action & IMA_AUDIT)
                ima_audit_measurement(iint, pathname);
        kfree(pathbuf);
@@ -253,7 +254,7 @@ out:
 int ima_file_mmap(struct file *file, unsigned long prot)
 {
        if (file && (prot & PROT_EXEC))
-                return process_measurement(file, NULL, MAY_EXEC, MMAP_CHECK);
+                return process_measurement(file, MAY_EXEC, MMAP_CHECK, 0);
        return 0;
 }
@@ -272,10 +273,7 @@ int ima_file_mmap(struct file *file, unsigned long prot)
 */
 int ima_bprm_check(struct linux_binprm *bprm)
 {
-        return process_measurement(bprm->file,
+        return process_measurement(bprm->file, MAY_EXEC, BPRM_CHECK, 0);
-                                   (strcmp(bprm->filename, bprm->interp) == 0) ?
-                                   bprm->filename : bprm->interp,
-                                   MAY_EXEC, BPRM_CHECK);
 }
 /**
@@ -288,12 +286,12 @@ int ima_bprm_check(struct linux_binprm *bprm)
 * On success return 0.  On integrity appraisal error, assuming the file
 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
 */
-int ima_file_check(struct file *file, int mask)
+int ima_file_check(struct file *file, int mask, int opened)
 {
        ima_rdwr_violation_check(file);
-        return process_measurement(file, NULL,
+        return process_measurement(file,
                                   mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
-                                   FILE_CHECK);
+                                   FILE_CHECK, opened);
 }
 EXPORT_SYMBOL_GPL(ima_file_check);
@@ -316,7 +314,7 @@ int ima_module_check(struct file *file)
 #endif
                return 0;       /* We rely on module signature checking */
        }
-        return process_measurement(file, NULL, MAY_EXEC, MODULE_CHECK);
+        return process_measurement(file, MAY_EXEC, MODULE_CHECK, 0);
 }
 int ima_fw_from_file(struct file *file, char *buf, size_t size)
@@ -327,7 +325,7 @@ int ima_fw_from_file(struct file *file, char *buf, size_t size)
                        return -EACCES; /* INTEGRITY_UNKNOWN */
                return 0;
        }
-        return process_measurement(file, NULL, MAY_EXEC, FIRMWARE_CHECK);
+        return process_measurement(file, MAY_EXEC, FIRMWARE_CHECK, 0);
 }
 static int __init init_ima(void)