Before commit d79d72e02485 ("ima: per hook cache integrity appraisal
status"), ima_inode_post_setattr() clears the iint flags only if the file
does not match policy rules after attributes changed. After the commit
above, it clears the flags in any case. This patch restores the original
behavior.
Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
---
security/integrity/ima/ima_appraise.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 1b56ee949315..a54ad18affb1 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -360,11 +360,13 @@ void ima_inode_post_setattr(struct dentry *dentry)
must_appraise = ima_must_appraise(inode, MAY_ACCESS, POST_SETATTR);
iint = integrity_iint_find(inode);
if (iint) {
- iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
- IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
- IMA_ACTION_RULE_FLAGS);
if (must_appraise)
iint->flags |= IMA_APPRAISE;
+ else
+ iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
+ IMA_APPRAISE_SUBMASK |
+ IMA_APPRAISED_SUBMASK |
+ IMA_ACTION_RULE_FLAGS);
}
if (!must_appraise)
__vfs_removexattr(dentry, XATTR_NAME_IMA);
--
2.11.0
