ima: fix ima_inode_post_setattr
Changing file metadata (eg. uid, guid) could result in having to re-appraise a file's integrity, but does not change the "new file" status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags. With this patch, changing the file timestamp will not remove the file signature on new files. Reported-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Tested-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
This commit is contained in:
parent
39d637af5a
commit
42a4c60319
|
@ -328,7 +328,7 @@ void ima_inode_post_setattr(struct dentry *dentry)
|
|||
if (iint) {
|
||||
iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
|
||||
IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
|
||||
IMA_ACTION_FLAGS);
|
||||
IMA_ACTION_RULE_FLAGS);
|
||||
if (must_appraise)
|
||||
iint->flags |= IMA_APPRAISE;
|
||||
}
|
||||
|
|
|
@ -28,6 +28,7 @@
|
|||
|
||||
/* iint cache flags */
|
||||
#define IMA_ACTION_FLAGS 0xff000000
|
||||
#define IMA_ACTION_RULE_FLAGS 0x06000000
|
||||
#define IMA_DIGSIG 0x01000000
|
||||
#define IMA_DIGSIG_REQUIRED 0x02000000
|
||||
#define IMA_PERMIT_DIRECTIO 0x04000000
|
||||
|
|
Loading…
Reference in New Issue