ima: forbid write access to files with digital signatures

This patch forbids write access to files with digital signatures, as they are considered immutable. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
author: Dmitry Kasatkin <dmitry.kasatkin@intel.com> 2012-09-27 15:06:28 +0300
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> 2013-01-16 17:50:05 -0500
commit: a175b8bb29ebbad380ab4788f307fbfc47997b19 (patch)
tree: 8e0dbb1def59d05412e57ff2f9fc089bb304bffa /security
parent: ea1046d4c57ee6e3d5f68f19dd9a45bbab0b71a0 (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index d743c9a0a4b..cd00ba39e8e 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -175,12 +175,12 @@ static int process_measurement(struct file *file, const char *filename,
 	if (!action) {
 		if (iint->flags & IMA_APPRAISED)
 			rc = iint->ima_status;
-		goto out;
+		goto out_digsig;
 	}
 
 	rc = ima_collect_measurement(iint, file);
 	if (rc != 0)
-		goto out;
+		goto out_digsig;
 
 	if (function != BPRM_CHECK)
 		pathname = ima_d_path(&file->f_path, &pathbuf);
@@ -195,6 +195,9 @@ static int process_measurement(struct file *file, const char *filename,
 	if (action & IMA_AUDIT)
 		ima_audit_measurement(iint, pathname);
 	kfree(pathbuf);
+out_digsig:
+	if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG))
+		rc = -EACCES;
 out:
 	mutex_unlock(&inode->i_mutex);
 	if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE))
author	Dmitry Kasatkin <dmitry.kasatkin@intel.com>	2012-09-27 15:06:28 +0300
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	2013-01-16 17:50:05 -0500
commit	a175b8bb29ebbad380ab4788f307fbfc47997b19 (patch)
tree	8e0dbb1def59d05412e57ff2f9fc089bb304bffa /security
parent	ea1046d4c57ee6e3d5f68f19dd9a45bbab0b71a0 (diff)