The patch implementing modsig support will retry verifying the xattr signature if the modsig verification fails, and if we have already passed the modsig as the xattr_value we'll have problems if we pass the xattr sig in the second call to evm_verifyxattr. Since this is an optimization and not actually required, just don't do it. Suggested-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> Signed-off-by: Thiago Jung Bauermann <bauerman@xxxxxxxxxxxxxxxxxx> --- security/integrity/ima/ima_appraise.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 091977c8ec40..58e147049e98 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -229,7 +229,7 @@ int ima_appraise_measurement(enum ima_hooks func, goto out; } - status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint); + status = evm_verifyxattr(dentry, XATTR_NAME_IMA, NULL, 0, iint); switch (status) { case INTEGRITY_PASS: case INTEGRITY_UNKNOWN: