Re: [PATCH 6.6.y] ima: Reset IMA_NONACTION_RULE_FLAGS after post_setattr

6 Mar 2025


      [ Sasha's backport helper bot ]
Hi,
Summary of potential issues:
⚠️ Found matching upstream commit but patch is missing proper reference to it
Found matching upstream commit: 57a0ef02fefafc4b9603e33a18b669ba5ce59ba3
WARNING: Author mismatch between patch and found commit:
Backport author: Mimi Zoharzohar@linux.ibm.com
Commit author: Roberto Sassuroberto.sassu@huawei.com
Note: The patch differs from the upstream commit:
---
1:  57a0ef02fefaf ! 1:  6f8f39f341145 ima: Reset IMA_NONACTION_RULE_FLAGS after post_setattr
    @@ Commit message
         Fixes: 0d73a55208e9 ("ima: re-introduce own integrity cache lock")
         Signed-off-by: Roberto Sassu roberto.sassu@huawei.com
         Signed-off-by: Mimi Zohar zohar@linux.ibm.com
    -
    - ## security/integrity/ima/ima.h ##
    -@@ security/integrity/ima/ima.h: struct ima_kexec_hdr {
    - #define IMA_CHECK_BLACKLIST	0x40000000
    - #define IMA_VERITY_REQUIRED	0x80000000
    - 
    -+/* Exclude non-action flags which are not rule-specific. */
    -+#define IMA_NONACTION_RULE_FLAGS	(IMA_NONACTION_FLAGS & ~IMA_NEW_FILE)
    -+
    - #define IMA_DO_MASK		(IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
    - 				 IMA_HASH | IMA_APPRAISE_SUBMASK)
    - #define IMA_DONE_MASK		(IMA_MEASURED | IMA_APPRAISED | IMA_AUDITED | \
    +    (cherry picked from commit 57a0ef02fefafc4b9603e33a18b669ba5ce59ba3)
## security/integrity/ima/ima_main.c ##
     @@ security/integrity/ima/ima_main.c: static int process_measurement(struct file *file, const struct cred *cred,
    @@ security/integrity/ima/ima_main.c: static int process_measurement(struct file *f
/*
      	 * Re-evaulate the file if either the xattr has changed or the
    +
    + ## security/integrity/integrity.h ##
    +@@
    + #define IMA_CHECK_BLACKLIST	0x40000000
    + #define IMA_VERITY_REQUIRED	0x80000000
    + 
    ++/* Exclude non-action flags which are not rule-specific. */
    ++#define IMA_NONACTION_RULE_FLAGS	(IMA_NONACTION_FLAGS & ~IMA_NEW_FILE)
    ++
    + #define IMA_DO_MASK		(IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
    + 				 IMA_HASH | IMA_APPRAISE_SUBMASK)
    + #define IMA_DONE_MASK		(IMA_MEASURED | IMA_APPRAISED | IMA_AUDITED | \
---
Results of testing on various branches:
| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.6.y        |  Success    |  Success   |

2025

2024

2023

2022

2021

2020

2019

2018

2017

Re: [PATCH 6.6.y] ima: Reset IMA_NONACTION_RULE_FLAGS after post_setattr