On Tue, 2025-02-04 at 13:57 +0100, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
>
> Commit 0d73a55208e9 ("ima: re-introduce own integrity cache lock")
> mistakenly reverted the performance improvement introduced in commit
> 42a4c603198f0 ("ima: fix ima_inode_post_setattr"). The unused bit mask was
> subsequently removed by commit 11c60f23ed13 ("integrity: Remove unused
> macro IMA_ACTION_RULE_FLAGS").
>
> Restore the performance improvement by introducing the new mask
> IMA_NONACTION_RULE_FLAGS, equal to IMA_NONACTION_FLAGS without
> IMA_NEW_FILE, which is not a rule-specific flag.
>
> Finally, reset IMA_NONACTION_RULE_FLAGS instead of IMA_NONACTION_FLAGS in
> process_measurement(), if the IMA_CHANGE_ATTR atomic flag is set (after
> file metadata modification).
>
> With this patch, new files for which metadata were modified while they are
> still open, can be reopened before the last file close (when security.ima
> is written), since the IMA_NEW_FILE flag is not cleared anymore. Otherwise,
> appraisal fails because security.ima is missing (files with IMA_NEW_FILE
> set are an exception).
>
> Cc: stable@xxxxxxxxxxxxxxx # v4.16.x
> Fixes: 0d73a55208e9 ("ima: re-introduce own integrity cache lock")
> Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
Thanks!
Mimi
