Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp3347516pxv; Sun, 4 Jul 2021 16:13:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzZorPb4Z/YULfjOS60f9m31HBYsJKaHnt24bhl1OD9PQClWuk1hDk8KguRIyf8t5FoD99C X-Received: by 2002:a02:606d:: with SMTP id d45mr9863176jaf.86.1625440400106; Sun, 04 Jul 2021 16:13:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625440400; cv=none; d=google.com; s=arc-20160816; b=asodZCZtR/BWbEb54Q0CS+2Smd+2BEs+9xC1cBgn+2nqmAEJY2nJRjs64IreYqRk5F oPC4sBLyCXLuwgjkUxmnW7PlUqMWza3xNQ0pIPDkY4axVtG6aHr4vAS2rM0IUsFYqN/i O1T1Rof+JzwItG9FL5DNbtNogBdC5T3L2v3zTG9fC5t0knfwQnwBIV7OYp5wDW/GxHlr LipxY0bLzk1gOQiOLqHkNbc2sLfDE/RMVcVluiVDTNR43t92nR7fkSnHQ7BrtKOEYFZO 7HjDXqkpKCxcRlqabf3kbHKQzivWzVBxmfP8nkIsAUu0+gdXZ9lMwAAyQ4pIsmFHbOWj qWRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=LnBgVvBI4tM+an4pZTyFCNJoifzYmA0jj19WdC/fIn0=; b=b8ZX2N0Lwi5bcYBKf5kPyY3+RCdF1OHHyOeDPJ4x0ett7frrA4BRb84dn3PYEzGvnE S5TD4HjJe2JN4CWTKw5cEcL3SyD7kr93bs3BfSKK8sJwQVhg+4KrGIkb+QJz4IV8N5W0 09V8lwExDb+KdBjoWPBl69aufvB2n/F5sNM7E+ZMv3NB8g/Rg71jbMia4wCeQnsz/LuS pa+KCP1NTan4JPViqANfGEB4N1vJOUtyKKnUh5NQcvVgnrOiZCpbGa1h6PTaALtlVHyN XiYYl+NFZHIJd2NnKpc/qhmwbLS6FRoV1FEt8oeRu0adJ6e/7gU5u6EDhMdsqk4GmMpi AheA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=OahtdUnc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m19si13802922jav.63.2021.07.04.16.13.08; Sun, 04 Jul 2021 16:13:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=OahtdUnc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232659AbhGDXNP (ORCPT + 99 others); Sun, 4 Jul 2021 19:13:15 -0400 Received: from mail.kernel.org ([198.145.29.99]:48990 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232012AbhGDXJq (ORCPT ); Sun, 4 Jul 2021 19:09:46 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C3A336144E; Sun, 4 Jul 2021 23:07:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1625440026; bh=RTHPMxZCVJCPRLhGtXbla3CWUL8925mLsVAzTkaWzv4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OahtdUncAKfMbu005GywztuLuKW7B2E2QZ8H16El8bRwzV4QFYHJBs75itdfMbzhG yZyS2XiyBt4y+/xEYtqrvMQ1N2y/d/VLPqo+y5DytM8+FGgkCLX02zyx17FPL5N9r4 DijlXmoBU9S+zpY39hdvh8eT2HTzYoCLIveSsTBc7wYeI6XlgS5iAUZ0bbfj6fR+u9 IezmTt1sCrROE9/pvD0XpEEhJFBSPhSYnjHSogGn4cS24yrU75pB2U00FwnOo0cMtR oYTGGrhyHcAUvrshi9DmWb/5iwe+ll7yTjVELWNbhXsiMqDd/SufaQLr5yyBmrK4Vs FQZXn/Ijh598A== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Roberto Sassu , Mimi Zohar , Sasha Levin , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH AUTOSEL 5.12 36/80] ima: Don't remove security.ima if file must not be appraised Date: Sun, 4 Jul 2021 19:05:32 -0400 Message-Id: <20210704230616.1489200-36-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210704230616.1489200-1-sashal@kernel.org> References: <20210704230616.1489200-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Roberto Sassu [ Upstream commit ed1b472fc15aeaa20ddeeb93fd25190014e50d17 ] Files might come from a remote source and might have xattrs, including security.ima. It should not be IMA task to decide whether security.ima should be kept or not. This patch removes the removexattr() system call in ima_inode_post_setattr(). Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin --- security/integrity/ima/ima_appraise.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 565e33ff19d0..d7cc6f897746 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -522,8 +522,6 @@ void ima_inode_post_setattr(struct user_namespace *mnt_userns, return; action = ima_must_appraise(mnt_userns, inode, MAY_ACCESS, POST_SETATTR); - if (!action) - __vfs_removexattr(&init_user_ns, dentry, XATTR_NAME_IMA); iint = integrity_iint_find(inode); if (iint) { set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags); -- 2.30.2