git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Mimi Zohar <zohar@linux.ibm.com>
	Mon, 27 Jan 2025 15:24:13 +0000 (10:24 -0500)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sun, 20 Apr 2025 08:18:10 +0000 (10:18 +0200)
commit	34e7194cfa84fc8cc9965327181acae959f15ebb
tree	426f580e700f19cdae1d7b90532aa2b50cadb99c	tree \| snapshot
parent	8fe8f88a29ce6e2ba9a0d5eb0c9b98e04e2ccbe4	commit \| diff

ima: limit the number of open-writers integrity violations

commit 5b3cd801155f0b34b0b95942a5b057c9b8cad33e upstream.

Each time a file in policy, that is already opened for write, is opened
for read, an open-writers integrity violation audit message is emitted
and a violation record is added to the IMA measurement list. This
occurs even if an open-writers violation has already been recorded.

Limit the number of open-writers integrity violations for an existing
file open for write to one. After the existing file open for write
closes (__fput), subsequent open-writers integrity violations may be
emitted.

Cc: stable@vger.kernel.org # applies cleanly up to linux-6.6
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Tested-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

security/integrity/ima/ima.h		diff \| blob \| blame \| history
security/integrity/ima/ima_main.c		diff \| blob \| blame \| history