[v2,1/2] ima: fix ima_inode_post_setattr

Message ID	1458049391-26620-2-git-send-email-zohar@linux.vnet.ibm.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-fsdevel-owner@kernel.org> Gateway: Authorized Use Only! Violators will be prosecuted for <linux-fsdevel@vger.kernel.org> from <zohar@linux.vnet.ibm.com>; Tue, 15 Mar 2016 19:13:34 +0530 Gateway: Authorized Use Only! Violators will be prosecuted; Tue, 15 Mar 2016 19:13:33 +0530 From: Mimi Zohar <zohar@linux.vnet.ibm.com> To: linux-security-module <linux-security-module@vger.kernel.org> Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>, linux-fsdevel@vger.kernel.org Subject: [PATCH v2 1/2] ima: fix ima_inode_post_setattr Date: Tue, 15 Mar 2016 09:43:10 -0400 Message-Id: <1458049391-26620-2-git-send-email-zohar@linux.vnet.ibm.com> In-Reply-To: <1458049391-26620-1-git-send-email-zohar@linux.vnet.ibm.com> References: <1458049391-26620-1-git-send-email-zohar@linux.vnet.ibm.com> Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk

Message ID

1458049391-26620-2-git-send-email-zohar@linux.vnet.ibm.com (mailing list archive)

State

New, archived

Headers

From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: linux-security-module <linux-security-module@vger.kernel.org>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
	linux-fsdevel@vger.kernel.org
Subject: [PATCH v2 1/2] ima: fix ima_inode_post_setattr
Date: Tue, 15 Mar 2016 09:43:10 -0400
Message-Id: <1458049391-26620-2-git-send-email-zohar@linux.vnet.ibm.com>
In-Reply-To: <1458049391-26620-1-git-send-email-zohar@linux.vnet.ibm.com>
References: <1458049391-26620-1-git-send-email-zohar@linux.vnet.ibm.com>
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk

Commit Message

Mimi Zohar March 15, 2016, 1:43 p.m. UTC

Changing file metadata (eg. uid, guid) could result in having to
re-appraise a file's integrity, but does not change the "new file"
status nor the security.ima xattr.  The IMA_PERMIT_DIRECTIO and
IMA_DIGSIG_REQUIRED flags are policy rule specific.  This patch
only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags.

With this patch, changing the file timestamp will not remove the
file signature on new files.

Reported-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Tested-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
---
 security/integrity/ima/ima_appraise.c | 2 +-
 security/integrity/integrity.h        | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 6b4694a..d2f28a0 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -328,7 +328,7 @@  void ima_inode_post_setattr(struct dentry *dentry)
 	if (iint) {
 		iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
 				 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
-				 IMA_ACTION_FLAGS);
+				 IMA_ACTION_RULE_FLAGS);
 		if (must_appraise)
 			iint->flags |= IMA_APPRAISE;
 	}
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index e08935c..90bc57d 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -28,6 +28,7 @@ 
 
 /* iint cache flags */
 #define IMA_ACTION_FLAGS	0xff000000
+#define IMA_ACTION_RULE_FLAGS	0x06000000
 #define IMA_DIGSIG		0x01000000
 #define IMA_DIGSIG_REQUIRED	0x02000000
 #define IMA_PERMIT_DIRECTIO	0x04000000

[v2,1/2] ima: fix ima_inode_post_setattr

Commit Message

Patch