On Fri, 2014-02-28 at 16:59 +0200, Dmitry Kasatkin wrote: > ima_inode_post_setattr() calls ima_must_appraise() to check if > file needs to be appraised. If it is not then it removes security.ima > xattr. With original policy matching code it might happen that even > file needs to be appraised with FILE_CHECK hook, it might not be > for POST_SETATTR hook. 'security.ima' might be erronously removed. > > This patch treats POST_SETATTR as special wildcard function and will > cause ima_must_appraise() to be true if any of the hooks rules matches. > security.ima will not be removed if any of the hooks would require > appraisal. > > Signed-off-by: Dmitry Kasatkin <[email protected]>
Thanks! Mimi > --- > security/integrity/ima/ima_policy.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/security/integrity/ima/ima_policy.c > b/security/integrity/ima/ima_policy.c > index d7c97a4..947cdbe 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -167,9 +167,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule, > const struct cred *cred = current_cred(); > int i; > > - if ((rule->flags & IMA_FUNC) && rule->func != func) > + if ((rule->flags & IMA_FUNC) && > + (rule->func != func && func != POST_SETATTR)) > return false; > - if ((rule->flags & IMA_MASK) && rule->mask != mask) > + if ((rule->flags & IMA_MASK) && > + (rule->mask != mask && func != POST_SETATTR)) > return false; > if ((rule->flags & IMA_FSMAGIC) > && rule->fsmagic != inode->i_sb->s_magic) -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
