ima: fix ima_inode_post_setattr Changing file metadata (eg. uid, guid) could result in having to re-appraise a file's integrity, but does not change the "new file" status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags. With this patch, changing the file timestamp will not remove the file signature on new files. Reported-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Tested-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>

commit: 42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b [log] [tgz]
author: Mimi Zohar <zohar@linux.vnet.ibm.com> Mon Feb 29 08:30:12 2016 -0500
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> Sun May 01 09:23:52 2016 -0400
tree: fca744f08e4a7e7563ff5f691a9d75766853c654
parent: 39d637af5aa7577f655c58b9e55587566c63a0af [diff] [blame]
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 6b4694a..d2f28a0 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c

@@ -328,7 +328,7 @@
 	if (iint) {
 		iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
 				 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
-				 IMA_ACTION_FLAGS);
+				 IMA_ACTION_RULE_FLAGS);
 		if (must_appraise)
 			iint->flags |= IMA_APPRAISE;
 	}
commit	42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b	[log] [tgz]
author	Mimi Zohar <zohar@linux.vnet.ibm.com>	Mon Feb 29 08:30:12 2016 -0500
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	Sun May 01 09:23:52 2016 -0400
tree	fca744f08e4a7e7563ff5f691a9d75766853c654
parent	39d637af5aa7577f655c58b9e55587566c63a0af [diff] [blame]