diff options
author | Dmitry Kasatkin <dmitry.kasatkin@intel.com> | 2012-09-27 14:06:28 +0200 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2013-01-16 23:50:05 +0100 |
commit | a175b8bb29ebbad380ab4788f307fbfc47997b19 (patch) | |
tree | 8e0dbb1def59d05412e57ff2f9fc089bb304bffa /security/integrity/ima | |
parent | ima: move full pathname resolution to separate function (diff) | |
download | linux-a175b8bb29ebbad380ab4788f307fbfc47997b19.tar.xz linux-a175b8bb29ebbad380ab4788f307fbfc47997b19.zip |
ima: forbid write access to files with digital signatures
This patch forbids write access to files with digital signatures, as they
are considered immutable.
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity/ima')
-rw-r--r-- | security/integrity/ima/ima_main.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index d743c9a0a4b4..cd00ba39e8e0 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -175,12 +175,12 @@ static int process_measurement(struct file *file, const char *filename, if (!action) { if (iint->flags & IMA_APPRAISED) rc = iint->ima_status; - goto out; + goto out_digsig; } rc = ima_collect_measurement(iint, file); if (rc != 0) - goto out; + goto out_digsig; if (function != BPRM_CHECK) pathname = ima_d_path(&file->f_path, &pathbuf); @@ -195,6 +195,9 @@ static int process_measurement(struct file *file, const char *filename, if (action & IMA_AUDIT) ima_audit_measurement(iint, pathname); kfree(pathbuf); +out_digsig: + if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG)) + rc = -EACCES; out: mutex_unlock(&inode->i_mutex); if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE)) |