[PATCH 4/4] ima: only audit failed appraisal verifications

Roberto Sassu roberto.sassu at huawei.com
Tue May 21 07:32:26 UTC 2019


On 5/20/2019 11:20 PM, Mimi Zohar wrote:
> On Thu, 2019-05-16 at 18:12 +0200, Roberto Sassu wrote:
>> This patch ensures that integrity_audit_msg() is called only when the
>> status is not INTEGRITY_PASS.
>>
>> Fixes: 8606404fa555c ("ima: digital signature verification support")
>> Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
>> Cc: stable at vger.kernel.org
>> ---
>>   security/integrity/ima/ima_appraise.c | 5 +++--
>>   1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
>> index a32ed5d7afd1..f5f4506bcb8e 100644
>> --- a/security/integrity/ima/ima_appraise.c
>> +++ b/security/integrity/ima/ima_appraise.c
>> @@ -359,8 +359,9 @@ int ima_appraise_measurement(enum ima_hooks func,
>>   			status = INTEGRITY_PASS;
>>   		}
>>   
>> -		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
>> -				    op, cause, rc, 0);
>> +		if (status != INTEGRITY_PASS)
>> +			integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
>> +					    filename, op, cause, rc, 0);
> 
> For some reason, the integrity verification has failed.  In some
> specific cases, we'll let it pass, but do we really want to remove any
> indication that it failed in all cases?

Ok. It is fine for me to discard the patch.

Roberto

-- 
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Bo PENG, Jian LI, Yanli SHI



More information about the Linux-security-module-archive mailing list