ima: prevent new digsig xattr from being replaced

Even though a new xattr will only be appraised on the next access, set the DIGSIG flag to prevent a signature from being replaced with a hash on file close. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
author: Mimi Zohar <zohar@linux.vnet.ibm.com> 2014-03-17 23:24:18 -0400
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> 2014-06-12 17:58:05 -0400
commit: 060bdebfb0b82751be89c0ce4b6e2c88606a354b (patch)
tree: b3b8253420850eb54927da9f68e41d9ad074ac6f /security/integrity
parent: 0e04c641b199435f3779454055f6a7de258ecdfc (diff)
1 files changed, 7 insertions, 3 deletions
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 291bf0f3a46d..d3113d4aaa3c 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -341,7 +341,7 @@ static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
        return 0;
 }
-static void ima_reset_appraise_flags(struct inode *inode)
+static void ima_reset_appraise_flags(struct inode *inode, int digsig)
 {
        struct integrity_iint_cache *iint;
@@ -353,18 +353,22 @@ static void ima_reset_appraise_flags(struct inode *inode)
                return;
        iint->flags &= ~IMA_DONE_MASK;
+        if (digsig)
+                iint->flags |= IMA_DIGSIG;
        return;
 }
 int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
                       const void *xattr_value, size_t xattr_value_len)
 {
+        const struct evm_ima_xattr_data *xvalue = xattr_value;
        int result;
        result = ima_protect_xattr(dentry, xattr_name, xattr_value,
                                   xattr_value_len);
        if (result == 1) {
-                ima_reset_appraise_flags(dentry->d_inode);
+                ima_reset_appraise_flags(dentry->d_inode,
+                         (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0);
                result = 0;
        }
        return result;
@@ -376,7 +380,7 @@ int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
        result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
        if (result == 1) {
-                ima_reset_appraise_flags(dentry->d_inode);
+                ima_reset_appraise_flags(dentry->d_inode, 0);
                result = 0;
        }
        return result;
author	Mimi Zohar <zohar@linux.vnet.ibm.com>	2014-03-17 23:24:18 -0400
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	2014-06-12 17:58:05 -0400
commit	060bdebfb0b82751be89c0ce4b6e2c88606a354b (patch)
tree	b3b8253420850eb54927da9f68e41d9ad074ac6f /security/integrity
parent	0e04c641b199435f3779454055f6a7de258ecdfc (diff)