ima: Set file->f_mode instead of file->f_flags in ima_calc_file_hash()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Commit a408e4a86b36 ("ima: open a new file instance if no read
permissions") tries to create a new file descriptor to calculate a file
digest if the file has not been opened with O_RDONLY flag. However, if a
new file descriptor cannot be obtained, it sets the FMODE_READ flag to
file->f_flags instead of file->f_mode.

This patch fixes this issue by replacing f_flags with f_mode as it was
before that commit.

Cc: stable@vger.kernel.org # 4.20.x
Fixes: a408e4a86b36 ("ima: open a new file instance if no read permissions")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

authored by

Roberto Sassu and committed by

Mimi Zohar 5 years ago 0014cc04 ae83d0b4

+6 -6

1 changed file

expand all

security

integrity

ima

ima_crypto.c

+6 -6

security/integrity/ima/ima_crypto.c

··· 411 411 loff_t i_size; 412 412 int rc; 413 413 struct file *f = file; 414 - bool new_file_instance = false, modified_flags = false; 414 + bool new_file_instance = false, modified_mode = false; 415 415 416 416 /* 417 417 * For consistency, fail file's opened with the O_DIRECT flag on ··· 431 431 f = dentry_open(&file->f_path, flags, file->f_cred); 432 432 if (IS_ERR(f)) { 433 433 /* 434 - * Cannot open the file again, lets modify f_flags 434 + * Cannot open the file again, lets modify f_mode 435 435 * of original and continue 436 436 */ 437 437 pr_info_ratelimited("Unable to reopen file for reading.\n"); 438 438 f = file; 439 - f->f_flags |= FMODE_READ; 440 - modified_flags = true; 439 + f->f_mode |= FMODE_READ; 440 + modified_mode = true; 441 441 } else { 442 442 new_file_instance = true; 443 443 } ··· 455 455 out: 456 456 if (new_file_instance) 457 457 fput(f); 458 - else if (modified_flags) 459 - f->f_flags &= ~FMODE_READ; 458 + else if (modified_mode) 459 + f->f_mode &= ~FMODE_READ; 460 460 return rc; 461 461 } 462 462