summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2018-03-11 05:07:34 +0100
committerMimi Zohar <zohar@linux.vnet.ibm.com>2018-03-23 11:31:37 +0100
commita9a4935d44b58c858a81393694bc232a96cdcbd4 (patch)
treeee3c6a3bac3399f8d71e75538c554c5ac0807625
parentima: re-evaluate files on privileged mounted filesystems (diff)
downloadlinux-a9a4935d44b58c858a81393694bc232a96cdcbd4.tar.xz
linux-a9a4935d44b58c858a81393694bc232a96cdcbd4.zip
ima: clear IMA_HASH
The IMA_APPRAISE and IMA_HASH policies overlap. Clear IMA_HASH properly. Fixes: da1b0029f527 ("ima: support new "hash" and "dont_hash" policy actions") Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-rw-r--r--security/integrity/ima/ima_policy.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index e3da29af2c16..40557c06300f 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -389,7 +389,7 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
action |= entry->action & IMA_DO_MASK;
if (entry->action & IMA_APPRAISE) {
action |= get_subaction(entry, func);
- action ^= IMA_HASH;
+ action &= ~IMA_HASH;
}
if (entry->action & IMA_DO_MASK)