4.16-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
[ Upstream commit a9a4935d44b58c858a81393694bc232a96cdcbd4 ]
The IMA_APPRAISE and IMA_HASH policies overlap. Clear IMA_HASH properly.
Fixes: da1b0029f527 ("ima: support new "hash" and "dont_hash" policy actions")
Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <alexander.levin@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
security/integrity/ima/ima_policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -384,7 +384,7 @@ int ima_match_policy(struct inode *inode
action |= entry->action & IMA_DO_MASK;
if (entry->action & IMA_APPRAISE) {
action |= get_subaction(entry, func);
- action ^= IMA_HASH;
+ action &= ~IMA_HASH;
}
if (entry->action & IMA_DO_MASK)
