aboutsummaryrefslogtreecommitdiffstats
path: root/security/integrity
diff options
context:
space:
mode:
authorDmitry Kasatkin <d.kasatkin@samsung.com>2013-11-13 16:42:39 -0500
committerMimi Zohar <zohar@linux.vnet.ibm.com>2014-03-07 12:15:44 -0500
commit09b1148ef59c93d292a3355c00e9b5779b2ecad0 (patch)
treeb174a785efcfb9f752da096cd31593da96b2603d /security/integrity
parent20ee451f5a7cd43edda56ba36cbec4d881d3329f (diff)
ima: fix erroneous removal of security.ima xattr
ima_inode_post_setattr() calls ima_must_appraise() to check if the file needs to be appraised. If it does not then it removes security.ima xattr. With original policy matching code it might happen that even file needs to be appraised with FILE_CHECK hook, it might not be for POST_SETATTR hook. 'security.ima' might be erronously removed. This patch treats POST_SETATTR as special wildcard function and will cause ima_must_appraise() to be true if any of the hooks rules matches. security.ima will not be removed if any of the hooks would require appraisal. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity')
-rw-r--r--security/integrity/ima/ima_policy.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 3f6b8a466368..a556d5b9c57f 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -167,9 +167,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
167 const struct cred *cred = current_cred(); 167 const struct cred *cred = current_cred();
168 int i; 168 int i;
169 169
170 if ((rule->flags & IMA_FUNC) && rule->func != func) 170 if ((rule->flags & IMA_FUNC) &&
171 (rule->func != func && func != POST_SETATTR))
171 return false; 172 return false;
172 if ((rule->flags & IMA_MASK) && rule->mask != mask) 173 if ((rule->flags & IMA_MASK) &&
174 (rule->mask != mask && func != POST_SETATTR))
173 return false; 175 return false;
174 if ((rule->flags & IMA_FSMAGIC) 176 if ((rule->flags & IMA_FSMAGIC)
175 && rule->fsmagic != inode->i_sb->s_magic) 177 && rule->fsmagic != inode->i_sb->s_magic)