review.tizen.org Git - platform/kernel/linux-rpi.git/commit

author	Thiago Jung Bauermann <bauerman@linux.ibm.com>
	Fri, 28 Jun 2019 02:19:33 +0000 (23:19 -0300)
committer	Mimi Zohar <zohar@linux.ibm.com>
	Mon, 5 Aug 2019 22:40:26 +0000 (18:40 -0400)
commit	e5092255bb3967bcc473dc86492dbbd5f7714023
tree	69dab56bf638a2404728c24a486eb8444f58a9a8	tree \| snapshot
parent	3878d505aa718bcc7b1eb4089ab9b9fb27dee957	commit \| diff

ima: Store the measurement again when appraising a modsig

If the IMA template contains the "modsig" or "d-modsig" field, then the
modsig should be added to the measurement list when the file is appraised.

And that is what normally happens, but if a measurement rule caused a file
containing a modsig to be measured before a different rule causes it to be
appraised, the resulting measurement entry will not contain the modsig
because it is only fetched during appraisal. When the appraisal rule
triggers, it won't store a new measurement containing the modsig because
the file was already measured.

We need to detect that situation and store an additional measurement with
the modsig. This is done by adding an IMA_MEASURE action flag if we read a
modsig and the IMA template contains a modsig field.

Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

security/integrity/ima/ima.h		diff \| blob \| history
security/integrity/ima/ima_api.c		diff \| blob \| history
security/integrity/ima/ima_main.c		diff \| blob \| history
security/integrity/ima/ima_template.c		diff \| blob \| history