Commit def3e8b9 authored by Dmitry Kasatkin's avatar Dmitry Kasatkin Committed by Mimi Zohar

ima: set appraise status in fix mode only when xattr is fixed

When a file system is mounted read-only, setting the xattr value in
fix mode fails with an error code -EROFS.  The xattr should be fixed
after the file system is remounted read-write.  This patch verifies
that the set xattr succeeds, before setting the appraise status value
to INTEGRITY_PASS.
Signed-off-by: default avatarDmitry Kasatkin <dmitry.kasatkin@intel.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
parent e9080565
...@@ -42,12 +42,13 @@ int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func) ...@@ -42,12 +42,13 @@ int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
return ima_match_policy(inode, func, mask, IMA_APPRAISE); return ima_match_policy(inode, func, mask, IMA_APPRAISE);
} }
static void ima_fix_xattr(struct dentry *dentry, static int ima_fix_xattr(struct dentry *dentry,
struct integrity_iint_cache *iint) struct integrity_iint_cache *iint)
{ {
iint->ima_xattr.type = IMA_XATTR_DIGEST; iint->ima_xattr.type = IMA_XATTR_DIGEST;
__vfs_setxattr_noperm(dentry, XATTR_NAME_IMA, (u8 *)&iint->ima_xattr, return __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA,
sizeof iint->ima_xattr, 0); (u8 *)&iint->ima_xattr,
sizeof(iint->ima_xattr), 0);
} }
/* /*
...@@ -141,7 +142,7 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint, ...@@ -141,7 +142,7 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint,
if ((ima_appraise & IMA_APPRAISE_FIX) && if ((ima_appraise & IMA_APPRAISE_FIX) &&
(!xattr_value || (!xattr_value ||
xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
ima_fix_xattr(dentry, iint); if (!ima_fix_xattr(dentry, iint))
status = INTEGRITY_PASS; status = INTEGRITY_PASS;
} }
integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment