| Message ID | 20210322154207.6802-1-zohar@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [1/2] ima: don't access a file's integrity status before an IMA policy is loaded | expand |
On Mon, Mar 22, 2021 at 11:42:06AM -0400, Mimi Zohar wrote: > Only after an IMA policy is loaded, check, save, or update the cached > file's integrity status. > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> This commit message doesn't describe what the actual effect of this change is. Is it fixing something? - Eric
On Mon, 2021-03-22 at 09:51 -0700, Eric Biggers wrote: > On Mon, Mar 22, 2021 at 11:42:06AM -0400, Mimi Zohar wrote: > > Only after an IMA policy is loaded, check, save, or update the cached > > file's integrity status. > > > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > > This commit message doesn't describe what the actual effect of this change is. > Is it fixing something? No, it's just short circuiting out even earlier, but isn't needed. Mimi
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 9ef748ea829f..9d1196f712e1 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -606,6 +606,9 @@ void ima_post_create_tmpfile(struct user_namespace *mnt_userns, struct integrity_iint_cache *iint; int must_appraise; + if (!ima_policy_flag || !S_ISREG(inode->i_mode)) + return; + must_appraise = ima_must_appraise(mnt_userns, inode, MAY_ACCESS, FILE_CHECK); if (!must_appraise) @@ -636,6 +639,9 @@ void ima_post_path_mknod(struct user_namespace *mnt_userns, struct inode *inode = dentry->d_inode; int must_appraise; + if (!ima_policy_flag || !S_ISREG(inode->i_mode)) + return; + must_appraise = ima_must_appraise(mnt_userns, inode, MAY_ACCESS, FILE_CHECK); if (!must_appraise)
Only after an IMA policy is loaded, check, save, or update the cached file's integrity status. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- security/integrity/ima/ima_main.c | 6 ++++++ 1 file changed, 6 insertions(+)