From 42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Mon, 29 Feb 2016 08:30:12 -0500 Subject: [PATCH] ima: fix ima_inode_post_setattr Changing file metadata (eg. uid, guid) could result in having to re-appraise a file's integrity, but does not change the "new file" status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags. With this patch, changing the file timestamp will not remove the file signature on new files. Reported-by: Dmitry Rozhkov Signed-off-by: Mimi Zohar Tested-by: Dmitry Rozhkov --- security/integrity/ima/ima_appraise.c | 2 +- security/integrity/integrity.h | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 6b4694a..d2f28a0 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -328,7 +328,7 @@ void ima_inode_post_setattr(struct dentry *dentry) if (iint) { iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | - IMA_ACTION_FLAGS); + IMA_ACTION_RULE_FLAGS); if (must_appraise) iint->flags |= IMA_APPRAISE; } diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index e08935c..90bc57d 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -28,6 +28,7 @@ /* iint cache flags */ #define IMA_ACTION_FLAGS 0xff000000 +#define IMA_ACTION_RULE_FLAGS 0x06000000 #define IMA_DIGSIG 0x01000000 #define IMA_DIGSIG_REQUIRED 0x02000000 #define IMA_PERMIT_DIRECTIO 0x04000000 -- 2.7.4