Re: [PATCH 10/12] ima: Move validation of the keyrings conditional into ima_validate_rule()

From: Mimi Zohar
Date: Thu Jun 25 2020 - 16:46:14 EST

Next message: Christophe JAILLET: "[PATCH] scsi: cumana_2: Fix different dev_id between 'request_irq()' and 'free_irq()'"
Previous message: Stafford Horne: "[PATCH] init: Align init_task to avoid conflict with MUTEX_FLAGS"
In reply to: Tyler Hicks: "Re: [PATCH 10/12] ima: Move validation of the keyrings conditional into ima_validate_rule()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > index 514baf24d6a5..ae2ec2a9cdb9 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -999,6 +999,12 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
> > case KEXEC_KERNEL_CHECK:
> > case KEXEC_INITRAMFS_CHECK:
> > case POLICY_CHECK:
> > + if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
> > + IMA_UID | IMA_FOWNER | IMA_FSUUID |
> > + IMA_INMASK | IMA_EUID | IMA_PCR |
> > + IMA_FSNAME))
>
> I accidentally left these out:
>
> (IMA_DIGSIG_REQUIRED | IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST)
>
> I'll add them in v2.

Thanks, I noticed when skimming the patches the first time around.

Mimi

Next message: Christophe JAILLET: "[PATCH] scsi: cumana_2: Fix different dev_id between 'request_irq()' and 'free_irq()'"
Previous message: Stafford Horne: "[PATCH] init: Align init_task to avoid conflict with MUTEX_FLAGS"
In reply to: Tyler Hicks: "Re: [PATCH 10/12] ima: Move validation of the keyrings conditional into ima_validate_rule()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]