diff options
| author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2016-02-29 08:30:12 -0500 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2016-05-01 09:23:52 -0400 |
| commit | 42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b (patch) | |
| tree | fca744f08e4a7e7563ff5f691a9d75766853c654 /security/integrity/integrity.h | |
| parent | 39d637af5aa7577f655c58b9e55587566c63a0af (diff) | |
| download | talos-op-linux-42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b.tar.gz talos-op-linux-42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b.zip | |
ima: fix ima_inode_post_setattr
Changing file metadata (eg. uid, guid) could result in having to
re-appraise a file's integrity, but does not change the "new file"
status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and
IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch
only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags.
With this patch, changing the file timestamp will not remove the
file signature on new files.
Reported-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Tested-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
Diffstat (limited to 'security/integrity/integrity.h')
| -rw-r--r-- | security/integrity/integrity.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index e08935cf343f..90bc57d796ec 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -28,6 +28,7 @@ /* iint cache flags */ #define IMA_ACTION_FLAGS 0xff000000 +#define IMA_ACTION_RULE_FLAGS 0x06000000 #define IMA_DIGSIG 0x01000000 #define IMA_DIGSIG_REQUIRED 0x02000000 #define IMA_PERMIT_DIRECTIO 0x04000000 |
