ima: allow to check MAY_APPEND

Lans Zhang · Mimi Zohar · commit 20f482ab9e0f · 2017-01-27T14:17:21.000-05:00
Otherwise some mask and inmask tokens with MAY_APPEND flag may not work
as expected.

Signed-off-by: Lans Zhang &lt;jia.zhang@windriver.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
@@ -157,7 +157,8 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
 /**
  * ima_get_action - appraise & measure decision based on policy.
  * @inode: pointer to inode to measure
- * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE)
+ * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC,
+ *        MAY_APPEND)
  * @func: caller identifier
  * @pcr: pointer filled in if matched measure policy sets pcr=
  *
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
@@ -309,7 +309,7 @@ int ima_bprm_check(struct linux_binprm *bprm)
 /**
  * ima_path_check - based on policy, collect/store measurement.
  * @file: pointer to the file to be measured
- * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE
+ * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND
  *
  * Measure files based on the ima_must_measure() policy decision.
  *
@@ -319,8 +319,8 @@ int ima_bprm_check(struct linux_binprm *bprm)
 int ima_file_check(struct file *file, int mask, int opened)
 {
 	return process_measurement(file, NULL, 0,
-				   mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
-				   FILE_CHECK, opened);
+				   mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
+					   MAY_APPEND), FILE_CHECK, opened);
 }
 EXPORT_SYMBOL_GPL(ima_file_check);
 

Original file line number	Diff line number	Diff line change
`@@ -309,7 +309,7 @@ int ima_bprm_check(struct linux_binprm *bprm)`
`309`	`309`	`/**`
`310`	`310`	`* ima_path_check - based on policy, collect/store measurement.`
`311`	`311`	`* @file: pointer to the file to be measured`
`312`		`- * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE`
	`312`	`+ * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND`
`313`	`313`	`*`
`314`	`314`	`* Measure files based on the ima_must_measure() policy decision.`
`315`	`315`	`*`
`@@ -319,8 +319,8 @@ int ima_bprm_check(struct linux_binprm *bprm)`
`319`	`319`	`int ima_file_check(struct file *file, int mask, int opened)`
`320`	`320`	`{`
`321`	`321`	`return process_measurement(file, NULL, 0,`
`322`		`- mask & (MAY_READ \| MAY_WRITE \| MAY_EXEC),`
`323`		`- FILE_CHECK, opened);`
	`322`	`+ mask & (MAY_READ \| MAY_WRITE \| MAY_EXEC \|`
	`323`	`+ MAY_APPEND), FILE_CHECK, opened);`
`324`	`324`	`}`
`325`	`325`	`EXPORT_SYMBOL_GPL(ima_file_check);`
`326`	`326`