hulk inclusion category: feature feature: digest-lists
---------------------------
This patch moves the meta_immutable check after the check for the EVM status. Even if IMA would continue appraisal verification when the status is not good (e.g. INTEGRITY_UNKNOWN), this patch refuses any status different from INTEGRITY_PASS_IMMUTABLE if the meta_immutable requirement was specified.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com --- security/integrity/ima/ima_appraise.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index c6376ec28ccd..2f77f086df36 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -229,14 +229,6 @@ int ima_appraise_measurement(enum ima_hooks func, switch (status) { case INTEGRITY_PASS: case INTEGRITY_PASS_IMMUTABLE: - if (iint->flags & IMA_META_IMMUTABLE_REQUIRED && - status != INTEGRITY_PASS_IMMUTABLE) { - status = INTEGRITY_FAIL; - cause = "metadata-modifiable"; - integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, - filename, op, cause, rc, 0); - goto out; - } break; case INTEGRITY_UNKNOWN: if (ima_appraise_req_evm && @@ -264,6 +256,15 @@ int ima_appraise_measurement(enum ima_hooks func, WARN_ONCE(true, "Unexpected integrity status %d\n", status); }
+ if ((iint->flags & IMA_META_IMMUTABLE_REQUIRED) && + status != INTEGRITY_PASS_IMMUTABLE) { + status = INTEGRITY_FAIL; + cause = "metadata-modifiable"; + integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, + filename, op, cause, rc, 0); + goto out; + } + switch (xattr_value->type) { case EVM_IMA_XATTR_DIGEST_LIST: set_bit(IMA_DIGEST_LIST, &iint->atomic_flags);