ima: fix erroneous removal of security.ima xattr
authorDmitry Kasatkin <d.kasatkin@samsung.com>
Wed, 13 Nov 2013 21:42:39 +0000 (23:42 +0200)
committerMimi Zohar <zohar@linux.vnet.ibm.com>
Fri, 7 Mar 2014 17:15:44 +0000 (12:15 -0500)
ima_inode_post_setattr() calls ima_must_appraise() to check if the
file needs to be appraised. If it does not then it removes security.ima
xattr. With original policy matching code it might happen that even
file needs to be appraised with FILE_CHECK hook, it might not be
for POST_SETATTR hook. 'security.ima' might be erronously removed.

This patch treats POST_SETATTR as special wildcard function and will
cause ima_must_appraise() to be true if any of the hooks rules matches.
security.ima will not be removed if any of the hooks would require
appraisal.

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
security/integrity/ima/ima_policy.c

index 3f6b8a466368e01052d466aa826658fec78d5556..a556d5b9c57f75c9fe7b11b1fd8ee1d20a83280f 100644 (file)
@@ -167,9 +167,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
        const struct cred *cred = current_cred();
        int i;
 
-       if ((rule->flags & IMA_FUNC) && rule->func != func)
+       if ((rule->flags & IMA_FUNC) &&
+           (rule->func != func && func != POST_SETATTR))
                return false;
-       if ((rule->flags & IMA_MASK) && rule->mask != mask)
+       if ((rule->flags & IMA_MASK) &&
+           (rule->mask != mask && func != POST_SETATTR))
                return false;
        if ((rule->flags & IMA_FSMAGIC)
            && rule->fsmagic != inode->i_sb->s_magic)