This is a note to let you know that I've just added the patch titled
ima: Don't remove security.ima if file must not be appraised
to the 5.12-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
ima-don-t-remove-security.ima-if-file-must-not-be-ap.patch
and it can be found in the queue-5.12 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit 0ca2b20c8fdbc927ad33bb6acc0f650081e3497b
Author: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
Date: Fri May 14 17:27:53 2021 +0200
ima: Don't remove security.ima if file must not be appraised
[ Upstream commit ed1b472fc15aeaa20ddeeb93fd25190014e50d17 ]
Files might come from a remote source and might have xattrs, including
security.ima. It should not be IMA task to decide whether security.ima
should be kept or not. This patch removes the removexattr() system
call in ima_inode_post_setattr().
Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 565e33ff19d0..d7cc6f897746 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -522,8 +522,6 @@ void ima_inode_post_setattr(struct user_namespace *mnt_userns,
return;
action = ima_must_appraise(mnt_userns, inode, MAY_ACCESS, POST_SETATTR);
- if (!action)
- __vfs_removexattr(&init_user_ns, dentry, XATTR_NAME_IMA);
iint = integrity_iint_find(inode);
if (iint) {
set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags);
