Re: [PATCH 6.6.y] ima: Reset IMA_NONACTION_RULE_FLAGS after post_setattr

Sasha Levin <sashal@xxxxxxxxxx> · Thu, 6 Mar 2025 14:11:20 -0500

[ Sasha's backport helper bot ]

Hi,

Summary of potential issues:
⚠️ Found matching upstream commit but patch is missing proper reference to it

Found matching upstream commit: 57a0ef02fefafc4b9603e33a18b669ba5ce59ba3

WARNING: Author mismatch between patch and found commit:
Backport author: Mimi Zohar<zohar@xxxxxxxxxxxxx>
Commit author: Roberto Sassu<roberto.sassu@xxxxxxxxxx>

Note: The patch differs from the upstream commit:
---
1:  57a0ef02fefaf ! 1:  6f8f39f341145 ima: Reset IMA_NONACTION_RULE_FLAGS after post_setattr
    @@ Commit message
         Fixes: 0d73a55208e9 ("ima: re-introduce own integrity cache lock")
         Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
         Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
    -
    - ## security/integrity/ima/ima.h ##
    -@@ security/integrity/ima/ima.h: struct ima_kexec_hdr {
    - #define IMA_CHECK_BLACKLIST	0x40000000
    - #define IMA_VERITY_REQUIRED	0x80000000
    - 
    -+/* Exclude non-action flags which are not rule-specific. */
    -+#define IMA_NONACTION_RULE_FLAGS	(IMA_NONACTION_FLAGS & ~IMA_NEW_FILE)
    -+
    - #define IMA_DO_MASK		(IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
    - 				 IMA_HASH | IMA_APPRAISE_SUBMASK)
    - #define IMA_DONE_MASK		(IMA_MEASURED | IMA_APPRAISED | IMA_AUDITED | \
    +    (cherry picked from commit 57a0ef02fefafc4b9603e33a18b669ba5ce59ba3)

      ## security/integrity/ima/ima_main.c ##
     @@ security/integrity/ima/ima_main.c: static int process_measurement(struct file *file, const struct cred *cred,
    @@ security/integrity/ima/ima_main.c: static int process_measurement(struct file *f

      	/*
      	 * Re-evaulate the file if either the xattr has changed or the
    +
    + ## security/integrity/integrity.h ##
    +@@
    + #define IMA_CHECK_BLACKLIST	0x40000000
    + #define IMA_VERITY_REQUIRED	0x80000000
    + 
    ++/* Exclude non-action flags which are not rule-specific. */
    ++#define IMA_NONACTION_RULE_FLAGS	(IMA_NONACTION_FLAGS & ~IMA_NEW_FILE)
    ++
    + #define IMA_DO_MASK		(IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
    + 				 IMA_HASH | IMA_APPRAISE_SUBMASK)
    + #define IMA_DONE_MASK		(IMA_MEASURED | IMA_APPRAISED | IMA_AUDITED | \
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.6.y        |  Success    |  Success   |