Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp3344683pxv; Sun, 4 Jul 2021 16:07:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw0MaP1RU+ZEB1W8pxm4cpqSlD7UF4sP0uc2asRjQwEmiDe/Zi/VCHYNTXvyOb3POwc1ryn X-Received: by 2002:a92:d4d0:: with SMTP id o16mr5108678ilm.153.1625440065433; Sun, 04 Jul 2021 16:07:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625440065; cv=none; d=google.com; s=arc-20160816; b=XCCK5AZs936FRQUcyWPfJCvSBtU1zENzV10/1TvJ+1Vg3yOaEg96WUMMA5smvdUBe0 bg72m7sCcizKtqEv2eu+RMWaUUl7WKzY+vDQKy0UtkpXzw1cL7ybNx24TnxXSSSYGvi9 9Ri/2vn2JF6uCd8mXlQFjR2LZi85rT49e7mlAdWhtv2Vz+Br9m3Q4M/JZr/8XDFm380O 46OQe7dET0o2B6OTvBcW37PJrkwLMhPHsUAULzsBnbKlKj9DEUVCsuSP6mfaiZpwamZm /qM3Tk+cjPDJK0cxObA8TtAM9s1QDwp25rf83U1/XnZsDUrGqF6gVrfmDYude9i+bSm0 mzjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=8SAifyuVAAzfvqN02ExafQrwWqFJNBmS/NYdrr+9Wy0=; b=zt6J/qSiGInoRZoYeFHl5bX5vtXnChFXuRk+cR5erkdNuMP1iheETbHiYurz8w6bMe /z+8Hoqcwgppl0A688Uld38b0n0cOBoM05zqomHivlmNXfewDtkdIhaCPenfRQkpkQcB Ah6awbwWTlHVpe9RYQxf98NnZB2kqnkbVM9PwerbPH2z1jmjZ/xTP9eXg4D7bYI0vOns zF+b9yCnmq+a+6cKrBzZZuCwAew8FwHMrbSOJL3Ik8JxTPh9Nt4A3AJKmlvQKQZwcBgk 4o1N8F3lEcWP6R+nhs5xY79YNQRD21xEW9MVyn6Roqu8MDBG72QpQx0GWSYAO69E0y7x 7KJg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="U1/ZAXX0"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f21si12968770jav.53.2021.07.04.16.07.33; Sun, 04 Jul 2021 16:07:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="U1/ZAXX0"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231202AbhGDXIQ (ORCPT + 99 others); Sun, 4 Jul 2021 19:08:16 -0400 Received: from mail.kernel.org ([198.145.29.99]:46010 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230405AbhGDXHt (ORCPT ); Sun, 4 Jul 2021 19:07:49 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 845AA611ED; Sun, 4 Jul 2021 23:05:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1625439913; bh=LX8MytkC20dE/E1lNwDIxGB7QpmzBK0Wy9YYqWHXUwo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=U1/ZAXX01hOAkSgQIfxnvOwfnc+BRwY4ZfbiVX7JdGywLYoZFXFha+juxIfT16UGh e8LgM39SUFPVVbXv/F1mxbX1oCx9hWJSSSKFNKl9QYZ4zR+X8nC0F5dwbPXEp2Ur+9 ttnI3216eDstiTCFzPAdt4hYokupiKfn86AMyWJrYa/vG8FbvqlQ1A4GQO3LAyfhMf uxhG3vhylW7b8pyFifuwEvIdHWtsmYqVvBUQkSZ5JDVyG+tHT2BpTL1Bt2Rp7Xsu5V yX9RcUympoDkQNO7TeD6Zyi6K66hqStKhXvtDos8ECd+Uzp2hP/Yn57G3sGMZzkD4p ePFEFDbzJqK+w== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Roberto Sassu , Mimi Zohar , Sasha Levin , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH AUTOSEL 5.13 38/85] ima: Don't remove security.ima if file must not be appraised Date: Sun, 4 Jul 2021 19:03:33 -0400 Message-Id: <20210704230420.1488358-38-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210704230420.1488358-1-sashal@kernel.org> References: <20210704230420.1488358-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Roberto Sassu [ Upstream commit ed1b472fc15aeaa20ddeeb93fd25190014e50d17 ] Files might come from a remote source and might have xattrs, including security.ima. It should not be IMA task to decide whether security.ima should be kept or not. This patch removes the removexattr() system call in ima_inode_post_setattr(). Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin --- security/integrity/ima/ima_appraise.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 4e5eb0236278..55dac618f2a1 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -522,8 +522,6 @@ void ima_inode_post_setattr(struct user_namespace *mnt_userns, return; action = ima_must_appraise(mnt_userns, inode, MAY_ACCESS, POST_SETATTR); - if (!action) - __vfs_removexattr(&init_user_ns, dentry, XATTR_NAME_IMA); iint = integrity_iint_find(inode); if (iint) { set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags); -- 2.30.2