diff options
author | Dmitry Kasatkin <d.kasatkin@samsung.com> | 2014-05-07 17:03:42 +0300 |
---|---|---|
committer | Dmitry Kasatkin <dmitry.kasatkin@huawei.com> | 2015-10-22 22:53:37 +0300 |
commit | 2726106068dfed5c9a9ffac7165f917c4138a28c (patch) | |
tree | ab35bc34062ac56f4265f561bbfbe42535027fc1 | |
parent | ff4fc2bfaf115db0f3bfb64db55b495627746dbf (diff) | |
download | linux-digsig-ima-dir-experimental.tar.gz |
ima_dir: honor appraise permit actionima-dir-experimental
This patch handles appraise permit action flag.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
-rw-r--r-- | security/integrity/ima/ima_dir.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/security/integrity/ima/ima_dir.c b/security/integrity/ima/ima_dir.c index a96ee1ae01db80..48661626872bc1 100644 --- a/security/integrity/ima/ima_dir.c +++ b/security/integrity/ima/ima_dir.c @@ -184,6 +184,7 @@ static int dir_measurement(struct path *path, struct file *file, int mask) int rc = 0, action, xattr_len = 0, func = DIR_CHECK; struct evm_ima_xattr_data *xattr_value = NULL; enum hash_algo algo; + int permit; if (!ima_dir_enabled || !ima_initialized) return 0; @@ -193,6 +194,7 @@ static int dir_measurement(struct path *path, struct file *file, int mask) iint = integrity_iint_find(inode); BUG_ON(!iint); + permit = iint->flags & IMA_APPRAISE_PERMIT; action = iint->flags & IMA_DO_MASK; action &= ~((iint->flags & IMA_DONE_MASK) >> 1); @@ -215,6 +217,8 @@ static int dir_measurement(struct path *path, struct file *file, int mask) if (action < 0) return action; + permit = action & IMA_APPRAISE_PERMIT; + mutex_lock(&inode->i_mutex); iint = integrity_inode_get(inode); @@ -248,8 +252,8 @@ static int dir_measurement(struct path *path, struct file *file, int mask) out_locked: mutex_unlock(&inode->i_mutex); out_unlocked: - if (ima_appraise & IMA_APPRAISE_ENFORCE) - return rc ? -EACCES : 0; + if (rc && (ima_appraise & IMA_APPRAISE_ENFORCE) && !permit) + return -EACCES; return 0; } |