[PATCH kernel-4.19 24/25] evm: Reset IMA flags if EVM ignore mode is selected

From: Roberto Sassu <roberto.sassu@huawei.com> hulk inclusion category: feature feature: digest-lists --------------------------- The EVM ignore mode works similarly to the metadata modification mode. They both allow an operation to be performed even if the operation causes metadata to become invalid. Currently, evm_reset_status() notifies to IMA that an operation modified metadata only when the metadata modification mode was chosen. This patch sends a notification also when the ignore mode is selected. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- security/integrity/evm/evm_main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 5155ff4c4ef2..2d3c1670d8d3 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -570,7 +570,8 @@ static void evm_reset_status(struct inode *inode, int bit) iint = integrity_iint_find(inode); if (iint) { - if (evm_initialized & EVM_ALLOW_METADATA_WRITES) + if ((evm_initialized & EVM_ALLOW_METADATA_WRITES) || + evm_ignoremode) set_bit(bit, &iint->atomic_flags); iint->evm_status = INTEGRITY_UNKNOWN; -- 2.25.1