From patchwork Fri Jan 6 04:38:11 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lans Zhang X-Patchwork-Id: 9500087 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A0687606DE for ; Fri, 6 Jan 2017 05:18:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 914DA28456 for ; Fri, 6 Jan 2017 05:18:42 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 81A3F28473; Fri, 6 Jan 2017 05:18:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5523128456 for ; Fri, 6 Jan 2017 05:18:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752537AbdAFFSk (ORCPT ); Fri, 6 Jan 2017 00:18:40 -0500 Received: from mail5.windriver.com ([192.103.53.11]:48384 "EHLO mail5.wrs.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752737AbdAFFSj (ORCPT ); Fri, 6 Jan 2017 00:18:39 -0500 Received: from ALA-HCA.corp.ad.wrs.com (ala-hca.corp.ad.wrs.com [147.11.189.40]) by mail5.wrs.com (8.15.2/8.15.2) with ESMTPS id v064gcHC002847 (version=TLSv1 cipher=AES128-SHA bits=128 verify=OK); Thu, 5 Jan 2017 20:42:38 -0800 Received: from pek-lpgtest5.wrs.com (128.224.153.85) by ALA-HCA.corp.ad.wrs.com (147.11.189.40) with Microsoft SMTP Server id 14.3.294.0; Thu, 5 Jan 2017 20:42:37 -0800 From: Lans Zhang To: , CC: , , Subject: [PATCH] ima: allow to check MAY_APPEND Date: Fri, 6 Jan 2017 12:38:11 +0800 Message-ID: <1483677491-16445-1-git-send-email-jia.zhang@windriver.com> X-Mailer: git-send-email 1.9.1 MIME-Version: 1.0 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Otherwise some mask and inmask tokens with MAY_APPEND flag may not work as expected. Signed-off-by: Lans Zhang --- security/integrity/ima/ima_api.c | 3 ++- security/integrity/ima/ima_main.c | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 9df26a2..b827875 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -157,7 +157,8 @@ void ima_add_violation(struct file *file, const unsigned char *filename, /** * ima_get_action - appraise & measure decision based on policy. * @inode: pointer to inode to measure - * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE) + * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC, + * MAY_APPEND) * @func: caller identifier * @pcr: pointer filled in if matched measure policy sets pcr= * diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 50818c6..9fbcd8c 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -307,7 +307,7 @@ int ima_bprm_check(struct linux_binprm *bprm) /** * ima_path_check - based on policy, collect/store measurement. * @file: pointer to the file to be measured - * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE + * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND * * Measure files based on the ima_must_measure() policy decision. * @@ -317,7 +317,8 @@ int ima_bprm_check(struct linux_binprm *bprm) int ima_file_check(struct file *file, int mask, int opened) { return process_measurement(file, NULL, 0, - mask & (MAY_READ | MAY_WRITE | MAY_EXEC), + mask & (MAY_READ | MAY_WRITE | MAY_EXEC | + MAY_APPEND), FILE_CHECK, opened); } EXPORT_SYMBOL_GPL(ima_file_check);