diff options
| author | Dmitry Kasatkin <d.kasatkin@samsung.com> | 2014-10-23 14:53:21 +0200 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2015-05-21 19:28:46 +0200 |
| commit | c68ed80c97d9720f51ef31fe91560fdd1e121533 (patch) | |
| tree | 8befae768ac2bc711e7ff699ee401d3d1fb97cbd | |
| parent | ima: do not measure or appraise the NSFS filesystem (diff) | |
| download | linux-c68ed80c97d9720f51ef31fe91560fdd1e121533.tar.xz linux-c68ed80c97d9720f51ef31fe91560fdd1e121533.zip | |
ima: limit file hash setting by user to fix and log modes
File hashes are automatically set and updated and should not be
manually set. This patch limits file hash setting to fix and log
modes.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| -rw-r--r-- | security/integrity/ima/ima_appraise.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 4df493e4b3c9..1873b5536f80 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -378,10 +378,14 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, result = ima_protect_xattr(dentry, xattr_name, xattr_value, xattr_value_len); if (result == 1) { + bool digsig; + if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) return -EINVAL; - ima_reset_appraise_flags(d_backing_inode(dentry), - (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0); + digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); + if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE)) + return -EPERM; + ima_reset_appraise_flags(d_backing_inode(dentry), digsig); result = 0; } return result; |