[PATCH kernel-4.19 24/25] evm: Reset IMA flags if EVM ignore mode is selected

From: Roberto Sassu roberto.sassu@huawei.com

hulk inclusion category: feature feature: digest-lists

---------------------------

The EVM ignore mode works similarly to the metadata modification mode. They both allow an operation to be performed even if the operation causes metadata to become invalid.

Currently, evm_reset_status() notifies to IMA that an operation modified metadata only when the metadata modification mode was chosen. This patch sends a notification also when the ignore mode is selected.

Signed-off-by: Roberto Sassu roberto.sassu@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- security/integrity/evm/evm_main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 5155ff4c4ef2..2d3c1670d8d3 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -570,7 +570,8 @@ static void evm_reset_status(struct inode *inode, int bit)

iint = integrity_iint_find(inode); if (iint) { - if (evm_initialized & EVM_ALLOW_METADATA_WRITES) + if ((evm_initialized & EVM_ALLOW_METADATA_WRITES) || + evm_ignoremode) set_bit(bit, &iint->atomic_flags);

iint->evm_status = INTEGRITY_UNKNOWN;