Re: [PATCH v1 1/7] ima: update appraise flags after policy update completes

Petko Manolov Tue, 08 Dec 2015 11:17:42 -0800

On 15-12-08 13:01:18, Mimi Zohar wrote:
> While creating a temporary list of new rules, the ima_appraise flag is
> updated, but not reverted on failure to append the new rules to the
> existing policy.  This patch defines temp_ima_appraise flag.  Only when
> the new rules are appended to the policy is the flag updated.
> 
> Signed-off-by: Mimi Zohar <[email protected]>


FWIW - ACK.


cheers,
Petko


> ---
>  security/integrity/ima/ima_policy.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_policy.c 
> b/security/integrity/ima/ima_policy.c
> index 2f4e0f5..ba5d2fc 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -40,6 +40,7 @@
>  #define AUDIT                0x0040
>  
>  int ima_policy_flag;
> +static int temp_ima_appraise;
>  
>  #define MAX_LSM_RULES 6
>  enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
> @@ -370,6 +371,7 @@ void ima_update_policy_flag(void)
>                       ima_policy_flag |= entry->action;
>       }
>  
> +     ima_appraise |= temp_ima_appraise;
>       if (!ima_appraise)
>               ima_policy_flag &= ~IMA_APPRAISE;
>  }
> @@ -757,9 +759,9 @@ static int ima_parse_rule(char *rule, struct 
> ima_rule_entry *entry)
>       if (!result && (entry->action == UNKNOWN))
>               result = -EINVAL;
>       else if (entry->func == MODULE_CHECK)
> -             ima_appraise |= IMA_APPRAISE_MODULES;
> +             temp_ima_appraise |= IMA_APPRAISE_MODULES;
>       else if (entry->func == FIRMWARE_CHECK)
> -             ima_appraise |= IMA_APPRAISE_FIRMWARE;
> +             temp_ima_appraise |= IMA_APPRAISE_FIRMWARE;
>       audit_log_format(ab, "res=%d", !result);
>       audit_log_end(ab);
>       return result;
> @@ -821,6 +823,7 @@ void ima_delete_rules(void)
>       struct ima_rule_entry *entry, *tmp;
>       int i;
>  
> +     temp_ima_appraise = 0;
>       list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
>               for (i = 0; i < MAX_LSM_RULES; i++)
>                       kfree(entry->lsm[i].args_p);
> -- 
> 2.1.0
> 
> --
> To unsubscribe from this list: send the line "unsubscribe 
> linux-security-module" in
> the body of a message to [email protected]
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v1 1/7] ima: update appraise flags after policy update completes

Reply via email to