git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Mimi Zohar <zohar@linux.ibm.com>
	Mon, 27 Jan 2025 15:24:13 +0000 (10:24 -0500)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sun, 20 Apr 2025 08:15:43 +0000 (10:15 +0200)
commit	48085ab823f00cb7a63ce1cdf2185214d89590a2
tree	4cf4caee5f531ac64d94cf7b1863e54a248e86d0	tree
parent	9a264e4a595df65eeeaf35d3ba4af8c73a9ffb36	commit \| diff

ima: limit the number of open-writers integrity violations

commit 5b3cd801155f0b34b0b95942a5b057c9b8cad33e upstream.

Each time a file in policy, that is already opened for write, is opened
for read, an open-writers integrity violation audit message is emitted
and a violation record is added to the IMA measurement list. This
occurs even if an open-writers violation has already been recorded.

Limit the number of open-writers integrity violations for an existing
file open for write to one. After the existing file open for write
closes (__fput), subsequent open-writers integrity violations may be
emitted.

Cc: stable@vger.kernel.org # applies cleanly up to linux-6.6
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Tested-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

security/integrity/ima/ima.h		diff \| blob \| blame \| history
security/integrity/ima/ima_main.c		diff \| blob \| blame \| history