ima: fix ima_inode_post_setattr

Mimi Zohar · Mimi Zohar · commit 42a4c603198f · 2016-05-01T09:23:52.000-04:00
Changing file metadata (eg. uid, guid) could result in having to
re-appraise a file's integrity, but does not change the "new file"
status nor the security.ima xattr.  The IMA_PERMIT_DIRECTIO and
IMA_DIGSIG_REQUIRED flags are policy rule specific.  This patch
only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags.

With this patch, changing the file timestamp will not remove the
file signature on new files.

Reported-by: Dmitry Rozhkov &lt;dmitry.rozhkov@linux.intel.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
Tested-by: Dmitry Rozhkov &lt;dmitry.rozhkov@linux.intel.com&gt;
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
@@ -328,7 +328,7 @@ void ima_inode_post_setattr(struct dentry *dentry)
 	if (iint) {
 		iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
 				 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
-				 IMA_ACTION_FLAGS);
+				 IMA_ACTION_RULE_FLAGS);
 		if (must_appraise)
 			iint->flags |= IMA_APPRAISE;
 	}
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
@@ -28,6 +28,7 @@
 
 /* iint cache flags */
 #define IMA_ACTION_FLAGS	0xff000000
+#define IMA_ACTION_RULE_FLAGS	0x06000000
 #define IMA_DIGSIG		0x01000000
 #define IMA_DIGSIG_REQUIRED	0x02000000
 #define IMA_PERMIT_DIRECTIO	0x04000000

Original file line number	Diff line number	Diff line change
`@@ -328,7 +328,7 @@ void ima_inode_post_setattr(struct dentry *dentry)`
`328`	`328`	`if (iint) {`
`329`	`329`	`iint->flags &= ~(IMA_APPRAISE \| IMA_APPRAISED \|`
`330`	`330`	`IMA_APPRAISE_SUBMASK \| IMA_APPRAISED_SUBMASK \|`
`331`		`- IMA_ACTION_FLAGS);`
	`331`	`+ IMA_ACTION_RULE_FLAGS);`
`332`	`332`	`if (must_appraise)`
`333`	`333`	`iint->flags \|= IMA_APPRAISE;`
`334`	`334`	`}`