diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2014-06-13 07:39:39 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-06-13 07:39:39 -0700 |
| commit | aa569fa0ea32d1c24fb801a07d2d9174cbbdde23 (patch) | |
| tree | 54c211a790684e0a93d6139634251152c703bbc2 /security/integrity/ima/ima_main.c | |
| parent | 6d87c225f5d82d29243dc124f1ffcbb0e14ec358 (diff) | |
| parent | 0430e49b6e7c6b5e076be8fefdee089958c9adad (diff) | |
Merge branch 'serge-next-2' of git://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux-security
Pull more security layer updates from Serge Hallyn:
"A few more commits had previously failed to make it through
security-next into linux-next but this week made it into linux-next.
At least commit "ima: introduce ima_kernel_read()" was deemed critical
by Mimi to make this merge window.
This is a temporary tree just for this request. Mimi has pointed me
to some previous threads about keeping maintainer trees at the
previous release, which I'll certainly do for anything long-term,
after talking with James"
* 'serge-next-2' of git://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux-security:
ima: introduce ima_kernel_read()
evm: prohibit userspace writing 'security.evm' HMAC value
ima: check inode integrity cache in violation check
ima: prevent unnecessary policy checking
evm: provide option to protect additional SMACK xattrs
evm: replace HMAC version with attribute mask
ima: prevent new digsig xattr from being replaced
Diffstat (limited to 'security/integrity/ima/ima_main.c')
| -rw-r--r-- | security/integrity/ima/ima_main.c | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index dcc98cf542d8..09baa335ebc7 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -81,7 +81,6 @@ static void ima_rdwr_violation_check(struct file *file) { struct inode *inode = file_inode(file); fmode_t mode = file->f_mode; - int must_measure; bool send_tomtou = false, send_writers = false; char *pathbuf = NULL; const char *pathname; @@ -92,18 +91,19 @@ static void ima_rdwr_violation_check(struct file *file) mutex_lock(&inode->i_mutex); /* file metadata: permissions, xattr */ if (mode & FMODE_WRITE) { - if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) - send_tomtou = true; - goto out; + if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) { + struct integrity_iint_cache *iint; + iint = integrity_iint_find(inode); + /* IMA_MEASURE is set from reader side */ + if (iint && (iint->flags & IMA_MEASURE)) + send_tomtou = true; + } + } else { + if ((atomic_read(&inode->i_writecount) > 0) && + ima_must_measure(inode, MAY_READ, FILE_CHECK)) + send_writers = true; } - must_measure = ima_must_measure(inode, MAY_READ, FILE_CHECK); - if (!must_measure) - goto out; - - if (atomic_read(&inode->i_writecount) > 0) - send_writers = true; -out: mutex_unlock(&inode->i_mutex); if (!send_tomtou && !send_writers) |