ima: set appraise status in fix mode only when xattr is fixed
authorDmitry Kasatkin <dmitry.kasatkin@intel.com>
Thu, 20 Sep 2012 19:38:53 +0000 (22:38 +0300)
committerMimi Zohar <zohar@linux.vnet.ibm.com>
Wed, 16 Jan 2013 20:47:07 +0000 (15:47 -0500)
When a file system is mounted read-only, setting the xattr value in
fix mode fails with an error code -EROFS.  The xattr should be fixed
after the file system is remounted read-write.  This patch verifies
that the set xattr succeeds, before setting the appraise status value
to INTEGRITY_PASS.

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
security/integrity/ima/ima_appraise.c

index bdc8ba1d1d27855527aa7a265cd6de07fee2d291..b240c58403e2ffac410c4947cd16b49323184ea3 100644 (file)
@@ -42,12 +42,13 @@ int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
        return ima_match_policy(inode, func, mask, IMA_APPRAISE);
 }
 
-static void ima_fix_xattr(struct dentry *dentry,
+static int ima_fix_xattr(struct dentry *dentry,
                          struct integrity_iint_cache *iint)
 {
        iint->ima_xattr.type = IMA_XATTR_DIGEST;
-       __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA, (u8 *)&iint->ima_xattr,
-                             sizeof iint->ima_xattr, 0);
+       return __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA,
+                                    (u8 *)&iint->ima_xattr,
+                                     sizeof(iint->ima_xattr), 0);
 }
 
 /*
@@ -141,8 +142,8 @@ out:
                if ((ima_appraise & IMA_APPRAISE_FIX) &&
                    (!xattr_value ||
                     xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
-                       ima_fix_xattr(dentry, iint);
-                       status = INTEGRITY_PASS;
+                       if (!ima_fix_xattr(dentry, iint))
+                               status = INTEGRITY_PASS;
                }
                integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
                                    op, cause, rc, 0);