[PATCH 4/4] ima: only audit failed appraisal verifications
Roberto Sassu
roberto.sassu at huawei.com
Thu May 16 16:12:57 UTC 2019
This patch ensures that integrity_audit_msg() is called only when the
status is not INTEGRITY_PASS.
Fixes: 8606404fa555c ("ima: digital signature verification support")
Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
Cc: stable at vger.kernel.org
---
security/integrity/ima/ima_appraise.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index a32ed5d7afd1..f5f4506bcb8e 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -359,8 +359,9 @@ int ima_appraise_measurement(enum ima_hooks func,
status = INTEGRITY_PASS;
}
- integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
- op, cause, rc, 0);
+ if (status != INTEGRITY_PASS)
+ integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
+ filename, op, cause, rc, 0);
} else {
ima_cache_flags(iint, func);
}
--
2.17.1
More information about the Linux-security-module-archive
mailing list