Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp2833914pxv; Mon, 12 Jul 2021 03:05:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwdgUII37s5+fJCs4AxZz/Dqu2TwmTk8nCfNKPgMY2EoC2sMYWFFV5KFH5AnGZtQzWyqaDl X-Received: by 2002:a17:906:26ce:: with SMTP id u14mr51096529ejc.187.1626084343029; Mon, 12 Jul 2021 03:05:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626084343; cv=none; d=google.com; s=arc-20160816; b=HODDpLWNz/AZP993SSHzflf8GMZhAzazIFY+KM9fVMWRibc2wd0av1pY6Ssdf1OV5E /Vj69Xuton4c6or8E0ADmdbcq3RmqteEfbQ+kfJf9XGr3Gwo6X4+NMkI87yVjwLbF5Gr jObIe8fvWYkU6zKkpO3RNbDu4DgZs0rmnDqKNf+F3A2qRARJODfQXLvicNBkZ5yRGfXo DCJDd7isimpYsHE7dZvNQp2grTcEPteb8rPv9E/R7QnpeWvKKCANbBXSpi8Onh7pWhVK LU6EbuR7y6VWoqcfiEsGvbU/E/G0GHndxwIWXzQdgGc/qiYE/LKoQPSg3/jPYpaGMjdG QV/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=LnBgVvBI4tM+an4pZTyFCNJoifzYmA0jj19WdC/fIn0=; b=aPwYn7T0jDQbqG3T5Afrn6HfjGH9WYG6LCuqXEosYn6Shi+BAkPM7dnCAGoDOOipSI EPaw285FUCxIaEeZm2g1bv48xvLIwOgHaN/Hm+PKNE+kOIfagBwe8MLfAlOgbbElRQbh V+ju0IAzdgXZbQ/bF8R26FN51IK6q6bdYbFra982o9px0xuUR9fYk2oMiKTqJZcZFP78 cX9dAx3nZIwghXs9DYzn2SzOFYfIuWb01TivEpw3dVSZycNLIGogZx2xuEmvc8En/uCI NWGrjEexezJaQVGoX6I1RDzZ/BYETHOkGiQNTAEf0FilThNQC6AiHCK1JP7gs3FEOC/W gI/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=hMxEtds5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y18si2335425edo.360.2021.07.12.03.05.20; Mon, 12 Jul 2021 03:05:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=hMxEtds5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346265AbhGLHal (ORCPT + 99 others); Mon, 12 Jul 2021 03:30:41 -0400 Received: from mail.kernel.org ([198.145.29.99]:35674 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240724AbhGLHCa (ORCPT ); Mon, 12 Jul 2021 03:02:30 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 4720061106; Mon, 12 Jul 2021 06:59:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626073181; bh=RTHPMxZCVJCPRLhGtXbla3CWUL8925mLsVAzTkaWzv4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hMxEtds5MspBsJZfaU/hAAKPyDDYowJ6iecM2mGDtAl1UzJK4PLL26RQZc4sOll0l ogmtwmUyCdlkKcJ8bBsgKAsfNlmcGCukYMDxdxfb/YK0yNMk1t1fmN9trF0wITeyvk cboWOlfJkBriokGQks1ACzkRxL7FSwCg3XyNqFQg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Roberto Sassu , Mimi Zohar , Sasha Levin Subject: [PATCH 5.12 153/700] ima: Dont remove security.ima if file must not be appraised Date: Mon, 12 Jul 2021 08:03:56 +0200 Message-Id: <20210712060947.198137314@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210712060924.797321836@linuxfoundation.org> References: <20210712060924.797321836@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Roberto Sassu [ Upstream commit ed1b472fc15aeaa20ddeeb93fd25190014e50d17 ] Files might come from a remote source and might have xattrs, including security.ima. It should not be IMA task to decide whether security.ima should be kept or not. This patch removes the removexattr() system call in ima_inode_post_setattr(). Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin --- security/integrity/ima/ima_appraise.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 565e33ff19d0..d7cc6f897746 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -522,8 +522,6 @@ void ima_inode_post_setattr(struct user_namespace *mnt_userns, return; action = ima_must_appraise(mnt_userns, inode, MAY_ACCESS, POST_SETATTR); - if (!action) - __vfs_removexattr(&init_user_ns, dentry, XATTR_NAME_IMA); iint = integrity_iint_find(inode); if (iint) { set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags); -- 2.30.2