From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
Subject: [PATCH v3 14/15] ima: appraise measurement required
Date: Fri, 30 Jul 2010 11:45:45 -0400
Message-ID: <1280504746-20256-15-git-send-email-zohar@linux.vnet.ibm.com>
References: <1280504746-20256-1-git-send-email-zohar@linux.vnet.ibm.com>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
	linux-security-module@vger.kernel.org,
	linux-fsdevel@vger.kernel.org, James Morris <jmorris@namei.org>,
	David Safford <safford@watson.ibm.com>,
	Dave Hansen <dave@linux.vnet.ibm.com>,
	Mimi Zohar <zohar@us.ibm.com>
To: linux-kernel@vger.kernel.org
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from e5.ny.us.ibm.com ([32.97.182.145]:51517 "EHLO e5.ny.us.ibm.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1754792Ab0G3PrU (ORCPT <rfc822;linux-fsdevel@vger.kernel.org>);
	Fri, 30 Jul 2010 11:47:20 -0400
In-Reply-To: <1280504746-20256-1-git-send-email-zohar@linux.vnet.ibm.com>
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

Even if allowed to update security.ima, reset the appraisal
flags, forcing re-appraisal.

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
---
 security/integrity/ima/ima_main.c |   33 +++++++++++++++++++++++++++++++--
 1 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 6531765..14c39a5 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -386,18 +386,47 @@ static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
 	return 0;
 }
 
+static void ima_reset_appraise_flags(struct inode *inode)
+{
+	struct integrity_iint_cache *iint;
+
+	if (!ima_initialized || !ima_appraise || !S_ISREG(inode->i_mode))
+		return;
+
+	iint = integrity_iint_find_get(inode);
+	if (!iint)
+		return;
+
+	mutex_lock(&iint->mutex);
+	iint->flags &= ~(IMA_COLLECTED | IMA_APPRAISED | IMA_MEASURED);
+	mutex_unlock(&iint->mutex);
+	kref_put(&iint->refcount, iint_free);
+	return;
+}
+
 int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
 		       const void *xattr_value, size_t xattr_value_len)
 {
-	return ima_protect_xattr(dentry, xattr_name, xattr_value,
+	int result;
+
+	result = ima_protect_xattr(dentry, xattr_name, xattr_value,
 				 xattr_value_len);
+	if (!result)
+		ima_reset_appraise_flags(dentry->d_inode);
+	return result;
 }
 
 int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
 {
-	return ima_protect_xattr(dentry, xattr_name, NULL, 0);
+	int result;
+
+	result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
+	if (!result)
+		ima_reset_appraise_flags(dentry->d_inode);
+	return result;
 }
 
+
 static int __init init_ima(void)
 {
 	int error;
-- 
1.7.1.1