summaryrefslogtreecommitdiff
path: root/security/integrity
diff options
context:
space:
mode:
authorLans Zhang <jia.zhang@windriver.com>2017-01-06 12:38:11 +0800
committerMimi Zohar <zohar@linux.vnet.ibm.com>2017-01-27 14:17:21 -0500
commit20f482ab9e0f800d1e01ce748ebd382d085abe56 (patch)
treec8a2ee29204155ef9ef6c2b7d9586f27499086d5 /security/integrity
parentbc15ed663e7e53ee4dc3e60f8d09c93a0528c694 (diff)
ima: allow to check MAY_APPEND
Otherwise some mask and inmask tokens with MAY_APPEND flag may not work as expected. Signed-off-by: Lans Zhang <jia.zhang@windriver.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity')
-rw-r--r--security/integrity/ima/ima_api.c3
-rw-r--r--security/integrity/ima/ima_main.c6
2 files changed, 5 insertions, 4 deletions
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index d01a52f8f708..c2edba8de35e 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -157,7 +157,8 @@ err_out:
/**
* ima_get_action - appraise & measure decision based on policy.
* @inode: pointer to inode to measure
- * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE)
+ * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC,
+ * MAY_APPEND)
* @func: caller identifier
* @pcr: pointer filled in if matched measure policy sets pcr=
*
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index d5e492bd2899..2aebb7984437 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -309,7 +309,7 @@ int ima_bprm_check(struct linux_binprm *bprm)
/**
* ima_path_check - based on policy, collect/store measurement.
* @file: pointer to the file to be measured
- * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE
+ * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND
*
* Measure files based on the ima_must_measure() policy decision.
*
@@ -319,8 +319,8 @@ int ima_bprm_check(struct linux_binprm *bprm)
int ima_file_check(struct file *file, int mask, int opened)
{
return process_measurement(file, NULL, 0,
- mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
- FILE_CHECK, opened);
+ mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
+ MAY_APPEND), FILE_CHECK, opened);
}
EXPORT_SYMBOL_GPL(ima_file_check);