Re: [PATCH v3 07/10] ima: re-evaluate file integrity on file metadata change

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> @@ -286,7 +288,8 @@ static int process_measurement(struct file *file, const
> struct cred *cred,
>  	}
>  
>  	/*
> -	 * On stacked filesystems, detect and re-evaluate file data changes.
> +	 * On stacked filesystems, detect and re-evaluate file data and
> +	 * metadata changes.
>  	 */
>  	real_inode = d_real_inode(file_dentry(file));
>  	if (real_inode != inode &&
> @@ -297,6 +300,15 @@ static int process_measurement(struct file *file, const
> struct cred *cred,
>  			iint->flags &= ~IMA_DONE_MASK;
>  			iint->measured_pcrs = 0;
>  		}
> +
> +		/*
> +		 * Reset the EVM status when metadata changed.
> +		 */

-> To force re-validation, reset both the EVM and IMA status when the metadata
changes.

Mimi

> +		metadata_inode = d_inode(d_real(file_dentry(file),
> +					 D_REAL_METADATA));
> +		if (evm_metadata_changed(inode, metadata_inode))
> +			iint->flags &= ~(IMA_APPRAISED |
> +					 IMA_APPRAISED_SUBMASK);
>  	}
>  
>  	/* Determine if already appraised/measured based on bitmask
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux