4.16-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mimi Zohar zohar@linux.vnet.ibm.com
[ Upstream commit a9a4935d44b58c858a81393694bc232a96cdcbd4 ]
The IMA_APPRAISE and IMA_HASH policies overlap. Clear IMA_HASH properly.
Fixes: da1b0029f527 ("ima: support new "hash" and "dont_hash" policy actions") Signed-off-by: Mimi Zohar zohar@linux.vnet.ibm.com Signed-off-by: Sasha Levin alexander.levin@microsoft.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- security/integrity/ima/ima_policy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -384,7 +384,7 @@ int ima_match_policy(struct inode *inode action |= entry->action & IMA_DO_MASK; if (entry->action & IMA_APPRAISE) { action |= get_subaction(entry, func); - action ^= IMA_HASH; + action &= ~IMA_HASH; }
if (entry->action & IMA_DO_MASK)