From: Mimi Zohar <zohar@linux.vnet.ibm.com>
Date: Sun, 11 Mar 2018 04:07:34 +0000 (-0500)
Subject: ima: clear IMA_HASH
X-Git-Tag: v4.17-rc1~79^2~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a9a4935d44b58c858a81393694bc232a96cdcbd4;p=thirdparty%2Fkernel%2Flinux.git

ima: clear IMA_HASH

The IMA_APPRAISE and IMA_HASH policies overlap. Clear IMA_HASH properly.

Fixes: da1b0029f527 ("ima: support new "hash" and "dont_hash" policy actions")
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index e3da29af2c163..40557c06300ff 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -389,7 +389,7 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
 		action |= entry->action & IMA_DO_MASK;
 		if (entry->action & IMA_APPRAISE) {
 			action |= get_subaction(entry, func);
-			action ^= IMA_HASH;
+			action &= ~IMA_HASH;
 		}
 
 		if (entry->action & IMA_DO_MASK)