aboutsummaryrefslogtreecommitdiffstats
path: root/tools
diff options
context:
space:
mode:
authorRoberto Sassu <roberto.sassu@huawei.com>2017-11-07 11:37:07 +0100
committerJames Morris <james.l.morris@oracle.com>2017-11-20 08:23:10 +1100
commit020aae3ee58c1af0e7ffc4e2cc9fe4dc630338cb (patch)
treecfe2a7b52894badb8c2a792c241e5a0e6092f56b /tools
parentMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide (diff)
downloadlinux-020aae3ee58c1af0e7ffc4e2cc9fe4dc630338cb.tar.gz
linux-020aae3ee58c1af0e7ffc4e2cc9fe4dc630338cb.zip
ima: do not update security.ima if appraisal status is not INTEGRITY_PASS
Commit b65a9cfc2c38 ("Untangling ima mess, part 2: deal with counters") moved the call of ima_file_check() from may_open() to do_filp_open() at a point where the file descriptor is already opened. This breaks the assumption made by IMA that file descriptors being closed belong to files whose access was granted by ima_file_check(). The consequence is that security.ima and security.evm are updated with good values, regardless of the current appraisal status. For example, if a file does not have security.ima, IMA will create it after opening the file for writing, even if access is denied. Access to the file will be allowed afterwards. Avoid this issue by checking the appraisal status before updating security.ima. Cc: stable@vger.kernel.org Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to 'tools')
0 files changed, 0 insertions, 0 deletions
generated by cgit v1.2.3 (git 2.39.1) at 2026-01-10 18:02:00 +0000
span class='deletions'>-13/+0 2016-01-24MIPS: bcm963xx: Update bcm_tag field image_sequenceSimon Arlott1-6/+5 2016-01-24MIPS: bcm963xx: Move extended flash address to bcm_tag header fileSimon Arlott2-4/+7 2016-01-24MIPS: bcm963xx: Move Broadcom BCM963xx image tag data structureSimon Arlott3-4/+7 2016-01-24MIPS: bcm63xx: nvram: Use nvram structure definition from header fileSimon Arlott1-32/+3 2016-01-24MIPS: bcm963xx: Add Broadcom BCM963xx board nvram data structureSimon Arlott2-0/+113 2016-01-24MAINTAINERS: Add KVM for MIPS entryJames Hogan1-0/+8 2016-01-24MIPS: KVM: Add missing newline to kvm_err()James Hogan1-1/+1 2016-01-24MIPS: Move KVM specific opcodes into asm/inst.hJames Hogan4-28/+5 2016-01-24MIPS: KVM: Use cacheops.h definitionsJames Hogan1-22/+8 2016-01-24MIPS: Break down cacheops.h definitionsJames Hogan1-42/+64 2016-01-24MIPS: Use EXCCODE_ constants with set_except_vector()James Hogan2-30/+30 2016-01-24MIPS: Update trap codesJames Hogan1-2/+10 2016-01-24MIPS: Move Cause.ExcCode trap codes to mipsregs.hJames Hogan5-83/+80 2016-01-24MIPS: KVM: Make kvm_mips_{init,exit}() staticJames Hogan1-2/+2 2016-01-24MIPS: KVM: Refactor added offsetof()sJames Hogan1-7/+3 2016-01-24MIPS: KVM: Convert EXPORT_SYMBOL to _GPLJames Hogan2-19/+19 2016-01-24MIPS: KVM: Drop unused kvm_mips_host_tlb_inv_index()James Hogan2-38/+0 2016-01-24MIPS: Move definition of DC bit to mipsregs.hJames Hogan2-3/+2 2016-01-24MIPS: KVM: Drop some unused definitions from kvm_host.hJames Hogan1-5/+0 2016-01-24MIPS: KVM: Trivial whitespace and style fixesJames Hogan5-15/+14