Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2252846imm;
        Mon, 28 May 2018 04:50:00 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKLUti1lYXQt26OWYuYXGmOykk5sRN03VErQNn2JpULFVjFWmrL6LQ7J4wXEo62qxszb8PUK
X-Received: by 2002:a62:c8a:: with SMTP id 10-v6mr1338981pfm.27.1527508200114;
        Mon, 28 May 2018 04:50:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527508200; cv=none;
        d=google.com; s=arc-20160816;
        b=bUBXwkLR73qM4vjQYFdctq9JKueTokiA3KtIE4QudnsxaTEH9igimEtZryCPJMhg2a
         iKT9XNiny5jmNk9LM3/BIz/76EhICLviCCZOHRk18GpDGFezcJcsb29HylEhQr7fNzFR
         f6j9DEdWVTFCNqLCM7QJXTbhArfjfVF4nrAjm2h9zSwJHJ2L3pdbBFVIhc/wapInH8Sw
         UI9DGGvw6PNX+0mqrSftnntpEpfVjR93KKAlHV0aA7rQLKJFz1fdqy4FF+9sNoD1Vt9M
         tUgxao7TO5y+43PqB1oKzUvA0E8/2znTW5IRy3eE9vnA17WyadiaQDMd8EB1bSpbiEYn
         1z4A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature
         :arc-authentication-results;
        bh=q842aKKTg0zO3ML/2ueB8fwXSIPAJcX6sk2tyhvvSbw=;
        b=H+6CBo0JnQlWAUz0tqH8N3yqhG02cIAkabwHRpglWXXFIDJocObTSmMer14s+dMF3m
         n5zitU0JpFiFxKkjMGEOPGQOgJ+mmUnhKe3AyuJcq4oyDqKv4Lim1KqC+MjXZUiB6Nkj
         wAnB+zOhC0hWD5SouCDFp2ql4z8riAWBhXzIb9/NzktdwGuV/OoemxHSM7JPIvITZyDT
         tW7OLg4HhYbKE4z1G68zGTfWqLqsmEaZKp5L99C7lVEou2LC9J/38zzK61yijB2MDUJC
         9DYDJJmO3LtsD8NJsX7+v0Wq+Oj5FTuYwNuX0HCksv2CD7T38t3zVcGiSQJKe6mENwXi
         S8GQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=NvW69TMF;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i62-v6si30208586pfg.218.2018.05.28.04.49.45;
        Mon, 28 May 2018 04:50:00 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=NvW69TMF;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1424514AbeE1LtD (ORCPT
        <rfc822;ArcheFireLinuxKernelMain@gmail.com> + 99 others);
        Mon, 28 May 2018 07:49:03 -0400
Received: from mail.kernel.org ([198.145.29.99]:58370 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1423885AbeE1LKS (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 28 May 2018 07:10:18 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 17E722089E;
        Mon, 28 May 2018 11:10:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1527505817;
        bh=Yz/ER8welx1wjCwZYwvNe5KPxZPHmeBV+cXjIhYsKqg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=NvW69TMFomgXmkU1JXDFXiyJ0BKgRe+ngEyAhjl3jlpdotkPpGGIGkBMAsz3N/vxK
         e6TJRFfcNwOiiy6rxJt1dapKgOD42He2CCuxsdM53FKKTg1EbX4E2QbvCYymsr++Q+
         JOWIRD4Eody7nOERXHPgYl1ge4Q3SKZl1enx2sUE=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Mimi Zohar <zohar@linux.vnet.ibm.com>,
        Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.16 139/272] ima: clear IMA_HASH
Date:   Mon, 28 May 2018 12:02:52 +0200
Message-Id: <20180528100252.722880471@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180528100240.256525891@linuxfoundation.org>
References: <20180528100240.256525891@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.16-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mimi Zohar <zohar@linux.vnet.ibm.com>

[ Upstream commit a9a4935d44b58c858a81393694bc232a96cdcbd4 ]

The IMA_APPRAISE and IMA_HASH policies overlap. Clear IMA_HASH properly.

Fixes: da1b0029f527 ("ima: support new "hash" and "dont_hash" policy actions")
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 security/integrity/ima/ima_policy.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -384,7 +384,7 @@ int ima_match_policy(struct inode *inode
 		action |= entry->action & IMA_DO_MASK;
 		if (entry->action & IMA_APPRAISE) {
 			action |= get_subaction(entry, func);
-			action ^= IMA_HASH;
+			action &= ~IMA_HASH;
 		}
 
 		if (entry->action & IMA_DO_MASK)