ima: allow to check MAY_APPEND

Otherwise some mask and inmask tokens with MAY_APPEND flag may not work as expected. Signed-off-by: Lans Zhang <jia.zhang@windriver.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2025-10-31 08:44:41 +00:00 · 2017-01-06 12:38:11 +08:00 · 2017-01-06 12:38:11 +08:00 · 20f482ab9e
commit 20f482ab9e
parent bc15ed663e
2 changed files with 5 additions and 4 deletions
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@ -157,7 +157,8 @@ err_out:
 /**
 * ima_get_action - appraise & measure decision based on policy.
 * @inode: pointer to inode to measure
- * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE)
+ * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC,
+ *        MAY_APPEND)
 * @func: caller identifier
 * @pcr: pointer filled in if matched measure policy sets pcr=
 *
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@ -309,7 +309,7 @@ int ima_bprm_check(struct linux_binprm *bprm)
 /**
 * ima_path_check - based on policy, collect/store measurement.
 * @file: pointer to the file to be measured
- * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE
+ * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND
 *
 * Measure files based on the ima_must_measure() policy decision.
 *
@ -319,8 +319,8 @@ int ima_bprm_check(struct linux_binprm *bprm)
 int ima_file_check(struct file *file, int mask, int opened)
 {
 	return process_measurement(file, NULL, 0,
-				   mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
-				   FILE_CHECK, opened);
+				   mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
+					   MAY_APPEND), FILE_CHECK, opened);
 }
 EXPORT_SYMBOL_GPL(ima_file_check);