ima: limit file hash setting by user to fix and log modes

File hashes are automatically set and updated and should not be manually set. This patch limits file hash setting to fix and log modes. Signed-off-by: N Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: N Mimi Zohar <zohar@linux.vnet.ibm.com>

ima: limit file hash setting by user to fix and log modes
File hashes are automatically set and updated and should not be manually set. This patch limits file hash setting to fix and log modes. Signed-off-by: N Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: N Mimi Zohar <zohar@linux.vnet.ibm.com>
c68ed80c · Dmitry Kasatkin · Mimi Zohar · cd025f7f · c68ed80c
隐藏空白更改
内联并排

Showing with 6 addition and 2 deletion

security/integrity/ima/ima_appraise.c security/integrity/ima/ima_appraise.c +6 -2

未找到文件。
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -378,10 +378,14 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
 	result = ima_protect_xattr(dentry, xattr_name, xattr_value,
 				   xattr_value_len);
 	if (result == 1) {
+		bool digsig;
 		if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
 			return -EINVAL;
-		ima_reset_appraise_flags(d_backing_inode(dentry),
+		digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
-			 (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0);
+		if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE))
+			return -EPERM;
+		ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
 		result = 0;
 	}
 	return result;