| From 020aae3ee58c1af0e7ffc4e2cc9fe4dc630338cb Mon Sep 17 00:00:00 2001 |
| From: Roberto Sassu <roberto.sassu@huawei.com> |
| Date: Tue, 7 Nov 2017 11:37:07 +0100 |
| Subject: ima: do not update security.ima if appraisal status is not INTEGRITY_PASS |
| |
| From: Roberto Sassu <roberto.sassu@huawei.com> |
| |
| commit 020aae3ee58c1af0e7ffc4e2cc9fe4dc630338cb upstream. |
| |
| Commit b65a9cfc2c38 ("Untangling ima mess, part 2: deal with counters") |
| moved the call of ima_file_check() from may_open() to do_filp_open() at a |
| point where the file descriptor is already opened. |
| |
| This breaks the assumption made by IMA that file descriptors being closed |
| belong to files whose access was granted by ima_file_check(). The |
| consequence is that security.ima and security.evm are updated with good |
| values, regardless of the current appraisal status. |
| |
| For example, if a file does not have security.ima, IMA will create it after |
| opening the file for writing, even if access is denied. Access to the file |
| will be allowed afterwards. |
| |
| Avoid this issue by checking the appraisal status before updating |
| security.ima. |
| |
| Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> |
| Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> |
| Signed-off-by: James Morris <james.l.morris@oracle.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| security/integrity/ima/ima_appraise.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| --- a/security/integrity/ima/ima_appraise.c |
| +++ b/security/integrity/ima/ima_appraise.c |
| @@ -320,6 +320,9 @@ void ima_update_xattr(struct integrity_i |
| if (iint->flags & IMA_DIGSIG) |
| return; |
| |
| + if (iint->ima_file_status != INTEGRITY_PASS) |
| + return; |
| + |
| rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo); |
| if (rc < 0) |
| return; |