ima: clear IMA_HASH

The IMA_APPRAISE and IMA_HASH policies overlap. Clear IMA_HASH properly.

Fixes: da1b0029f527 ("ima: support new "hash" and "dont_hash" policy actions")
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index e3da29af2c16317d4070395f77cd614806157e16..40557c06300ff642e717c75134458262e362708a 100644 (file)
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -389,7 +389,7 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
                action |= entry->action & IMA_DO_MASK;
                if (entry->action & IMA_APPRAISE) {
                        action |= get_subaction(entry, func);
-                       action ^= IMA_HASH;
+                       action &= ~IMA_HASH;
                }
 
                if (entry->action & IMA_DO_MASK)