--- /dev/null
+From 020aae3ee58c1af0e7ffc4e2cc9fe4dc630338cb Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Tue, 7 Nov 2017 11:37:07 +0100
+Subject: ima: do not update security.ima if appraisal status is not INTEGRITY_PASS
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+commit 020aae3ee58c1af0e7ffc4e2cc9fe4dc630338cb upstream.
+
+Commit b65a9cfc2c38 ("Untangling ima mess, part 2: deal with counters")
+moved the call of ima_file_check() from may_open() to do_filp_open() at a
+point where the file descriptor is already opened.
+
+This breaks the assumption made by IMA that file descriptors being closed
+belong to files whose access was granted by ima_file_check(). The
+consequence is that security.ima and security.evm are updated with good
+values, regardless of the current appraisal status.
+
+For example, if a file does not have security.ima, IMA will create it after
+opening the file for writing, even if access is denied. Access to the file
+will be allowed afterwards.
+
+Avoid this issue by checking the appraisal status before updating
+security.ima.
+
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/ima/ima_appraise.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/security/integrity/ima/ima_appraise.c
++++ b/security/integrity/ima/ima_appraise.c
+@@ -297,6 +297,9 @@ void ima_update_xattr(struct integrity_i
+ if (iint->flags & IMA_DIGSIG)
+ return;
+
++ if (iint->ima_file_status != INTEGRITY_PASS)
++ return;
++
+ rc = ima_collect_measurement(iint, file, NULL, NULL);
+ if (rc < 0)
+ return;
projects / thirdparty / kernel / stable-queue.git / commitdiff
