commit def3e8b9ee23cb69036910e48ec4e3eff40e04cb
author Dmitry Kasatkin <dmitry.kasatkin@intel.com> Thu Sep 20 22:38:53 2012 +0300
committer Mimi Zohar <zohar@linux.vnet.ibm.com> Wed Jan 16 15:47:07 2013 -0500
tree 0840ab9e618f15f4c3c5e8ee6fafe5a17c814af2
parent e90805656d4683f84d360276102ae63adc777a38

ima: set appraise status in fix mode only when xattr is fixed

When a file system is mounted read-only, setting the xattr value in
fix mode fails with an error code -EROFS.  The xattr should be fixed
after the file system is remounted read-write.  This patch verifies
that the set xattr succeeds, before setting the appraise status value
to INTEGRITY_PASS.

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

security/integrity/ima/ima_appraise.c

diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index bdc8ba1..b240c58 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -42,12 +42,13 @@
 	return ima_match_policy(inode, func, mask, IMA_APPRAISE);
 }
 
-static void ima_fix_xattr(struct dentry *dentry,
+static int ima_fix_xattr(struct dentry *dentry,
 			  struct integrity_iint_cache *iint)
 {
 	iint->ima_xattr.type = IMA_XATTR_DIGEST;
-	__vfs_setxattr_noperm(dentry, XATTR_NAME_IMA, (u8 *)&iint->ima_xattr,
-			      sizeof iint->ima_xattr, 0);
+	return __vfs_setxattr_noperm(dentry, XATTR_NAME_IMA,
+				     (u8 *)&iint->ima_xattr,
+				      sizeof(iint->ima_xattr), 0);
 }
 
 /*
@@ -141,8 +142,8 @@
 		if ((ima_appraise & IMA_APPRAISE_FIX) &&
 		    (!xattr_value ||
 		     xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
-			ima_fix_xattr(dentry, iint);
-			status = INTEGRITY_PASS;
+			if (!ima_fix_xattr(dentry, iint))
+				status = INTEGRITY_PASS;
 		}
 		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
 				    op, cause, rc, 0);