Re: [PATCH 1/8] ima: fix erronous removal of security.ima xattr
From: Mimi Zohar
Date: Mon Mar 03 2014 - 08:43:58 EST
On Fri, 2014-02-28 at 16:59 +0200, Dmitry Kasatkin wrote:
> ima_inode_post_setattr() calls ima_must_appraise() to check if
> file needs to be appraised. If it is not then it removes security.ima
> xattr. With original policy matching code it might happen that even
> file needs to be appraised with FILE_CHECK hook, it might not be
> for POST_SETATTR hook. 'security.ima' might be erronously removed.
>
> This patch treats POST_SETATTR as special wildcard function and will
> cause ima_must_appraise() to be true if any of the hooks rules matches.
> security.ima will not be removed if any of the hooks would require
> appraisal.
>
> Signed-off-by: Dmitry Kasatkin <d.kasatkin@xxxxxxxxxxx>
Thanks!
Mimi
> ---
> security/integrity/ima/ima_policy.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index d7c97a4..947cdbe 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -167,9 +167,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
> const struct cred *cred = current_cred();
> int i;
>
> - if ((rule->flags & IMA_FUNC) && rule->func != func)
> + if ((rule->flags & IMA_FUNC) &&
> + (rule->func != func && func != POST_SETATTR))
> return false;
> - if ((rule->flags & IMA_MASK) && rule->mask != mask)
> + if ((rule->flags & IMA_MASK) &&
> + (rule->mask != mask && func != POST_SETATTR))
> return false;
> if ((rule->flags & IMA_FSMAGIC)
> && rule->fsmagic != inode->i_sb->s_magic)
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/