@@ -294,8 +294,7 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
if (!posix_xattr_acl(xattr_name))
return 0;
evm_status = evm_verify_current_integrity(dentry);
- if ((evm_status == INTEGRITY_PASS) ||
- (evm_status == INTEGRITY_NOXATTRS))
+ if (evm_status == INTEGRITY_NOXATTRS)
return 0;
goto out;
}
@@ -319,12 +318,15 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
-EPERM, 0);
}
out:
- if (evm_status != INTEGRITY_PASS)
- integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
- dentry->d_name.name, "appraise_metadata",
- integrity_status_msg[evm_status],
- -EPERM, 0);
- return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
+ if ((evm_status == INTEGRITY_PASS) ||
+ (evm_status == INTEGRITY_UNKNOWN))
+ return 0;
+
+ integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
+ dentry->d_name.name, "appraise_metadata",
+ integrity_status_msg[evm_status],
+ -EPERM, 0);
+ return -EPERM;
}
/**
This patch provide changes in order to return the real setxattr/removexattr failure status for inode without xattr support. Signed-off-by: Mikhail Kurinnoi <viewizard@viewizard.com> security/integrity/evm/evm_main.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-)