diff options
author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2014-03-17 23:24:18 -0400 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2014-06-12 17:58:05 -0400 |
commit | 060bdebfb0b82751be89c0ce4b6e2c88606a354b (patch) | |
tree | b3b8253420850eb54927da9f68e41d9ad074ac6f /security/integrity | |
parent | 0e04c641b199435f3779454055f6a7de258ecdfc (diff) |
ima: prevent new digsig xattr from being replaced
Even though a new xattr will only be appraised on the next access,
set the DIGSIG flag to prevent a signature from being replaced with
a hash on file close.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity')
-rw-r--r-- | security/integrity/ima/ima_appraise.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 291bf0f3a46d..d3113d4aaa3c 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c | |||
@@ -341,7 +341,7 @@ static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name, | |||
341 | return 0; | 341 | return 0; |
342 | } | 342 | } |
343 | 343 | ||
344 | static void ima_reset_appraise_flags(struct inode *inode) | 344 | static void ima_reset_appraise_flags(struct inode *inode, int digsig) |
345 | { | 345 | { |
346 | struct integrity_iint_cache *iint; | 346 | struct integrity_iint_cache *iint; |
347 | 347 | ||
@@ -353,18 +353,22 @@ static void ima_reset_appraise_flags(struct inode *inode) | |||
353 | return; | 353 | return; |
354 | 354 | ||
355 | iint->flags &= ~IMA_DONE_MASK; | 355 | iint->flags &= ~IMA_DONE_MASK; |
356 | if (digsig) | ||
357 | iint->flags |= IMA_DIGSIG; | ||
356 | return; | 358 | return; |
357 | } | 359 | } |
358 | 360 | ||
359 | int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, | 361 | int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, |
360 | const void *xattr_value, size_t xattr_value_len) | 362 | const void *xattr_value, size_t xattr_value_len) |
361 | { | 363 | { |
364 | const struct evm_ima_xattr_data *xvalue = xattr_value; | ||
362 | int result; | 365 | int result; |
363 | 366 | ||
364 | result = ima_protect_xattr(dentry, xattr_name, xattr_value, | 367 | result = ima_protect_xattr(dentry, xattr_name, xattr_value, |
365 | xattr_value_len); | 368 | xattr_value_len); |
366 | if (result == 1) { | 369 | if (result == 1) { |
367 | ima_reset_appraise_flags(dentry->d_inode); | 370 | ima_reset_appraise_flags(dentry->d_inode, |
371 | (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0); | ||
368 | result = 0; | 372 | result = 0; |
369 | } | 373 | } |
370 | return result; | 374 | return result; |
@@ -376,7 +380,7 @@ int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name) | |||
376 | 380 | ||
377 | result = ima_protect_xattr(dentry, xattr_name, NULL, 0); | 381 | result = ima_protect_xattr(dentry, xattr_name, NULL, 0); |
378 | if (result == 1) { | 382 | if (result == 1) { |
379 | ima_reset_appraise_flags(dentry->d_inode); | 383 | ima_reset_appraise_flags(dentry->d_inode, 0); |
380 | result = 0; | 384 | result = 0; |
381 | } | 385 | } |
382 | return result; | 386 | return result; |