This patch inserts the call evm_inode_post_removexattr() after removing
the 'security.ima' extended attribute in the function
ima_inode_post_setattr() in order to keep 'security.evm' up to date.
Signed-off-by: Roberto Sassu <[email protected]>
---
security/integrity/ima/ima_main.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 32dadfa..df92f4d 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -25,6 +25,7 @@
#include <linux/slab.h>
#include <linux/xattr.h>
#include <linux/ima.h>
+#include <linux/evm.h>
#include "ima.h"
@@ -365,8 +366,10 @@ void ima_inode_post_setattr(struct dentry *dentry)
iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED);
must_appraise = ima_must_appraise(iint, inode, MAY_ACCESS,
POST_SETATTR);
- if (!must_appraise)
+ if (!must_appraise) {
rc = inode->i_op->removexattr(dentry, XATTR_NAME_IMA);
+ evm_inode_post_removexattr(dentry, XATTR_NAME_IMA);
+ }
mutex_unlock(&iint->mutex);
kref_put(&iint->refcount, iint_free);
return;
--
1.7.2.3