summaryrefslogtreecommitdiff
path: root/security/integrity
diff options
context:
space:
mode:
authorDmitry Kasatkin <dmitry.kasatkin@intel.com>2012-09-20 22:38:53 +0300
committerMimi Zohar <zohar@linux.vnet.ibm.com>2013-01-16 15:47:07 -0500
commitdef3e8b9ee23cb69036910e48ec4e3eff40e04cb (patch)
tree0840ab9e618f15f4c3c5e8ee6fafe5a17c814af2 /security/integrity
parente90805656d4683f84d360276102ae63adc777a38 (diff)
ima: set appraise status in fix mode only when xattr is fixed
When a file system is mounted read-only, setting the xattr value in fix mode fails with an error code -EROFS. The xattr should be fixed after the file system is remounted read-write. This patch verifies that the set xattr succeeds, before setting the appraise status value to INTEGRITY_PASS. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity')
-rw-r--r--security/integrity/ima/ima_appraise.c11
1 files changed, 6 insertions, 5 deletions
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index bdc8ba1d1d27..b240c58403e2 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -42,12 +42,13 @@ int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
return ima_match_policy(inode, func, mask, IMA_APPRAISE);
}
-static void ima_fix_xattr(struct dentry *dentry,
+static int ima_fix_xattr(struct dentry *dentry,
struct integrity_iint_cache *iint)
{
iint->ima_xattr.type = IMA_XATTR_DIGEST;
- __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA, (u8 *)&iint->ima_xattr,
- sizeof iint->ima_xattr, 0);
+ return __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA,
+ (u8 *)&iint->ima_xattr,
+ sizeof(iint->ima_xattr), 0);
}
/*
@@ -141,8 +142,8 @@ out:
if ((ima_appraise & IMA_APPRAISE_FIX) &&
(!xattr_value ||
xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
- ima_fix_xattr(dentry, iint);
- status = INTEGRITY_PASS;
+ if (!ima_fix_xattr(dentry, iint))
+ status = INTEGRITY_PASS;
}
integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
op, cause, rc, 0);