ima_dir: honor appraise permit action
This patch handles appraise permit action flag.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
diff --git a/security/integrity/ima/ima_dir.c b/security/integrity/ima/ima_dir.c
index a96ee1a..4866162 100644
--- a/security/integrity/ima/ima_dir.c
+++ b/security/integrity/ima/ima_dir.c
@@ -184,6 +184,7 @@
int rc = 0, action, xattr_len = 0, func = DIR_CHECK;
struct evm_ima_xattr_data *xattr_value = NULL;
enum hash_algo algo;
+ int permit;
if (!ima_dir_enabled || !ima_initialized)
return 0;
@@ -193,6 +194,7 @@
iint = integrity_iint_find(inode);
BUG_ON(!iint);
+ permit = iint->flags & IMA_APPRAISE_PERMIT;
action = iint->flags & IMA_DO_MASK;
action &= ~((iint->flags & IMA_DONE_MASK) >> 1);
@@ -215,6 +217,8 @@
if (action < 0)
return action;
+ permit = action & IMA_APPRAISE_PERMIT;
+
mutex_lock(&inode->i_mutex);
iint = integrity_inode_get(inode);
@@ -248,8 +252,8 @@
out_locked:
mutex_unlock(&inode->i_mutex);
out_unlocked:
- if (ima_appraise & IMA_APPRAISE_ENFORCE)
- return rc ? -EACCES : 0;
+ if (rc && (ima_appraise & IMA_APPRAISE_ENFORCE) && !permit)
+ return -EACCES;
return 0;
}
