| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 19 Jun 2020 16:33:29 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org, Roberto Sassu <roberto.sassu@...wei.com>,
Krzysztof Struczynski <krzysztof.struczynski@...wei.com>,
Mimi Zohar <zohar@...ux.ibm.com>,
Sasha Levin <sashal@...nel.org>
Subject: [PATCH 5.7 291/376] ima: Set again build_ima_appraise variable
From: Krzysztof Struczynski <krzysztof.struczynski@...wei.com>
[ Upstream commit b59fda449cf07f2db3be3a67142e6c000f5e8d79 ]
After adding the new add_rule() function in commit c52657d93b05
("ima: refactor ima_init_policy()"), all appraisal flags are added to the
temp_ima_appraise variable. Revert to the previous behavior instead of
removing build_ima_appraise, to benefit from the protection offered by
__ro_after_init.
The mentioned commit introduced a bug, as it makes all the flags
modifiable, while build_ima_appraise flags can be protected with
__ro_after_init.
Cc: stable@...r.kernel.org # 5.0.x
Fixes: c52657d93b05 ("ima: refactor ima_init_policy()")
Co-developed-by: Roberto Sassu <roberto.sassu@...wei.com>
Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
Signed-off-by: Krzysztof Struczynski <krzysztof.struczynski@...wei.com>
Signed-off-by: Mimi Zohar <zohar@...ux.ibm.com>
Signed-off-by: Sasha Levin <sashal@...nel.org>
---
security/integrity/ima/ima_policy.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 7414443c19bf..e493063a3c34 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -643,8 +643,14 @@ static void add_rules(struct ima_rule_entry *entries, int count,
list_add_tail(&entry->list, &ima_policy_rules);
}
- if (entries[i].action == APPRAISE)
- temp_ima_appraise |= ima_appraise_flag(entries[i].func);
+ if (entries[i].action == APPRAISE) {
+ if (entries != build_appraise_rules)
+ temp_ima_appraise |=
+ ima_appraise_flag(entries[i].func);
+ else
+ build_ima_appraise |=
+ ima_appraise_flag(entries[i].func);
+ }
}
}
--
2.25.1
Powered by blists - more mailing lists