4.16-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mimi Zohar <zo...@linux.vnet.ibm.com>
[ Upstream commit a9a4935d44b58c858a81393694bc232a96cdcbd4 ]
The IMA_APPRAISE and IMA_HASH policies overlap. Clear IMA_HASH properly.
Fixes: da1b0029f527 ("ima: support new "hash" and "dont_hash" policy actions")
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <alexander.le...@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---
security/integrity/ima/ima_policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -384,7 +384,7 @@ int ima_match_policy(struct inode *inode
action |= entry->action & IMA_DO_MASK;
if (entry->action & IMA_APPRAISE) {
action |= get_subaction(entry, func);
- action ^= IMA_HASH;
+ action &= ~IMA_HASH;
}
if (entry->action & IMA_DO_MASK)
