diff options
author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2018-03-11 05:07:34 +0100 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2018-03-23 11:31:37 +0100 |
commit | a9a4935d44b58c858a81393694bc232a96cdcbd4 (patch) | |
tree | ee3c6a3bac3399f8d71e75538c554c5ac0807625 | |
parent | ima: re-evaluate files on privileged mounted filesystems (diff) | |
download | linux-a9a4935d44b58c858a81393694bc232a96cdcbd4.tar.xz linux-a9a4935d44b58c858a81393694bc232a96cdcbd4.zip |
ima: clear IMA_HASH
The IMA_APPRAISE and IMA_HASH policies overlap. Clear IMA_HASH properly.
Fixes: da1b0029f527 ("ima: support new "hash" and "dont_hash" policy actions")
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-rw-r--r-- | security/integrity/ima/ima_policy.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index e3da29af2c16..40557c06300f 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -389,7 +389,7 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, action |= entry->action & IMA_DO_MASK; if (entry->action & IMA_APPRAISE) { action |= get_subaction(entry, func); - action ^= IMA_HASH; + action &= ~IMA_HASH; } if (entry->action & IMA_DO_MASK) |