The function ima_inode_setxattr() must call ima_reset_appraise_flags()
only if the extended attribute 'security.ima' is being set. This patch
prevents the latter function to be invoked for other extended attributes.
Signed-off-by: Roberto Sassu <[email protected]>
---
security/integrity/ima/ima_main.c | 12 ++++++++----
1 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index cd29bf2..32dadfa 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -380,9 +380,11 @@ void ima_inode_post_setattr(struct dentry *dentry)
static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
const void *xattr_value, size_t xattr_value_len)
{
- if ((strcmp(xattr_name, XATTR_NAME_IMA) == 0)
- && !capable(CAP_SYS_ADMIN))
- return -EPERM;
+ if (strcmp(xattr_name, XATTR_NAME_IMA) == 0) {
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+ return 1;
+ }
return 0;
}
@@ -411,8 +413,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
result = ima_protect_xattr(dentry, xattr_name, xattr_value,
xattr_value_len);
- if (!result)
+ if (result == 1) {
ima_reset_appraise_flags(dentry->d_inode);
+ result = 0;
+ }
return result;
}
--
1.7.2.3