提交 a175b8bb 编写于 作者: D Dmitry Kasatkin 提交者: Mimi Zohar

ima: forbid write access to files with digital signatures

This patch forbids write access to files with digital signatures, as they
are considered immutable.
Signed-off-by: NDmitry Kasatkin <dmitry.kasatkin@intel.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
上级 ea1046d4
...@@ -175,12 +175,12 @@ static int process_measurement(struct file *file, const char *filename, ...@@ -175,12 +175,12 @@ static int process_measurement(struct file *file, const char *filename,
if (!action) { if (!action) {
if (iint->flags & IMA_APPRAISED) if (iint->flags & IMA_APPRAISED)
rc = iint->ima_status; rc = iint->ima_status;
goto out; goto out_digsig;
} }
rc = ima_collect_measurement(iint, file); rc = ima_collect_measurement(iint, file);
if (rc != 0) if (rc != 0)
goto out; goto out_digsig;
if (function != BPRM_CHECK) if (function != BPRM_CHECK)
pathname = ima_d_path(&file->f_path, &pathbuf); pathname = ima_d_path(&file->f_path, &pathbuf);
...@@ -195,6 +195,9 @@ static int process_measurement(struct file *file, const char *filename, ...@@ -195,6 +195,9 @@ static int process_measurement(struct file *file, const char *filename,
if (action & IMA_AUDIT) if (action & IMA_AUDIT)
ima_audit_measurement(iint, pathname); ima_audit_measurement(iint, pathname);
kfree(pathbuf); kfree(pathbuf);
out_digsig:
if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG))
rc = -EACCES;
out: out:
mutex_unlock(&inode->i_mutex); mutex_unlock(&inode->i_mutex);
if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE)) if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE))
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册