Even if allowed to update security.ima, reset the appraisal flags, forcing re-appraisal. Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxx> --- security/integrity/ima/ima_main.c | 33 +++++++++++++++++++++++++++++++-- 1 files changed, 31 insertions(+), 2 deletions(-) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 3713d55..0dbfdd6 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -386,18 +386,47 @@ static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name, return 0; } +static void ima_reset_appraise_flags(struct inode *inode) +{ + struct integrity_iint_cache *iint; + + if (!ima_initialized || !ima_appraise || !S_ISREG(inode->i_mode)) + return; + + iint = integrity_iint_find_get(inode); + if (!iint) + return; + + mutex_lock(&iint->mutex); + iint->flags &= ~(IMA_COLLECTED | IMA_APPRAISED | IMA_MEASURED); + mutex_unlock(&iint->mutex); + kref_put(&iint->refcount, iint_free); + return; +} + int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, size_t xattr_value_len) { - return ima_protect_xattr(dentry, xattr_name, xattr_value, + int result; + + result = ima_protect_xattr(dentry, xattr_name, xattr_value, xattr_value_len); + if (!result) + ima_reset_appraise_flags(dentry->d_inode); + return result; } int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name) { - return ima_protect_xattr(dentry, xattr_name, NULL, 0); + int result; + + result = ima_protect_xattr(dentry, xattr_name, NULL, 0); + if (!result) + ima_reset_appraise_flags(dentry->d_inode); + return result; } + static int __init init_ima(void) { int error; -- 1.7.1.1 -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html