Received: by 10.223.185.116 with SMTP id b49csp1075418wrg; Sat, 3 Mar 2018 14:52:41 -0800 (PST) X-Google-Smtp-Source: AG47ELvEAofIn1qUe4w0/mkCpRjRajTLPnLZFCZZI64gg9F27NcbTAtLY5VoZOFeWNMPFzCkPEOe X-Received: by 10.101.101.5 with SMTP id x5mr8193500pgv.195.1520117561687; Sat, 03 Mar 2018 14:52:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520117561; cv=none; d=google.com; s=arc-20160816; b=SBfjMLSquj4xPSg6xthucq17a7qHOOghHK/3t6J+n1qi3gARYzR0le+/YwwRFenAeV Y45xEF5hrKAtXXDl5OITnSDh1+UzP1pBgiqjiAw/wdrHMLyV+7btf5EggmGPICwqrlxg TtKiAeLfov1v1iGD6pX5Lqm5upGWVyUBC+TZwvJkV5dEdnCT7QlPYM482U5XMqB/9fgb ScW8IFI3qoP7+2HqQFDIUu27bAFGbodWDPTyR2vKvpNL0IK2EDo1Ka1sIkyEy1pqerSq Y5uhwbV2a646T9POXA4CvXifaQ9bEpPh2pcvKrZAQVEI6yLFuFg+wuPKlda+i0sBj86H hfYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :spamdiagnosticmetadata:spamdiagnosticoutput:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=PK8DUIpMHFwZ5h9vsa59TPS3+LLBYV6acqI+ha20jFM=; b=vU+uuTBIe5HD0Hu8ypNG1oW2UxumnugpHoGaRImDL4deXCIX8QCt/i3babAqAni7p5 Qf22i8DyA+/fl6fZ+cx+pi+MkcU/+gIfyIWjPVuwENrSVRL/sWf0r4syVD7cjUMfIk1M EJRjML0ykgE9wvEK4I9zUtjT5sK6YnLUlj3T0PYC0fVeD5GMFZ2O3cyGV3XBV9+yAe8C lgyrkCK3eDmmq0KQbkbteq6jNr1gOJC1pzFltpIJkUR4ovgZO6PcKxYIW4BcbT/K1PyO swhzZb1fo0GED/fnSoVJ3OyF5Hf//UYV/0aixK6Ahk+y3RcsOrivUn/6hqTaQN2oPW3b i8Sw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=nF4w9JIk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s71si6135044pgc.17.2018.03.03.14.52.27; Sat, 03 Mar 2018 14:52:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=nF4w9JIk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935448AbeCCWlK (ORCPT + 99 others); Sat, 3 Mar 2018 17:41:10 -0500 Received: from mail-cys01nam02on0109.outbound.protection.outlook.com ([104.47.37.109]:30112 "EHLO NAM02-CY1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S935118AbeCCWk5 (ORCPT ); Sat, 3 Mar 2018 17:40:57 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=PK8DUIpMHFwZ5h9vsa59TPS3+LLBYV6acqI+ha20jFM=; b=nF4w9JIk9zUCBA3t8HojfE27fVOCY/tDf6T9yV1BE3DlN8UdXfmNAKtKKhW1iD49bUy5mz1eU+DghpV1RlI2aBTALzcCT3Rg5hastHrilZiymk8XwxNkBn4Hcn2iGbNp0eIbnDBw0A8OGV47hdohSa7+2AcburJndSp+c+MieVo= Received: from MW2PR2101MB1034.namprd21.prod.outlook.com (52.132.149.10) by MWHSPR01MB344.namprd21.prod.outlook.com (10.174.251.167) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.567.3; Sat, 3 Mar 2018 22:40:53 +0000 Received: from MW2PR2101MB1034.namprd21.prod.outlook.com ([fe80::1d56:338f:e2b:cec0]) by MW2PR2101MB1034.namprd21.prod.outlook.com ([fe80::1d56:338f:e2b:cec0%3]) with mapi id 15.20.0567.006; Sat, 3 Mar 2018 22:40:53 +0000 From: Sasha Levin To: "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" CC: Mimi Zohar , Sasha Levin Subject: [PATCH AUTOSEL for 4.4 115/115] ima: relax requiring a file signature for new files with zero length Thread-Topic: [PATCH AUTOSEL for 4.4 115/115] ima: relax requiring a file signature for new files with zero length Thread-Index: AQHTsz9wKDWJmW52dE68jCe4GV8b3A== Date: Sat, 3 Mar 2018 22:31:58 +0000 Message-ID: <20180303223010.27106-115-alexander.levin@microsoft.com> References: <20180303223010.27106-1-alexander.levin@microsoft.com> In-Reply-To: <20180303223010.27106-1-alexander.levin@microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [52.168.54.252] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;MWHSPR01MB344;7:KNkSTBif7WpRIp07ozqRrkerPC1N9yzES5cxS8VHyWk/Cn0VYNb2TGb0fi/zfF1S9Fh+vNK+feoiATFmVtXOXZOUGGWLwd4MtqCf5YCQepa/sl9q0KmwyLZkEt1dy6YAiodPgsqbYlTjsuBPzqHjXXEIjS8QNRSoS8xfmTEYGY6keJG3Mpg4fS/uJ5wdSUrPoORTFVDMTOgKKOjO++X96ivx340ZUY9xSUvEqQDoxpQ5uu7DOcsUrbyp1w2ualq0 x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: a4e6cded-6451-42b4-6ecc-08d58157d2a7 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7193020);SRVR:MWHSPR01MB344; x-ms-traffictypediagnostic: MWHSPR01MB344: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Alexander.Levin@microsoft.com; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(28532068793085)(89211679590171)(192374486261705)(104084551191319); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(61425038)(6040501)(2401047)(5005006)(8121501046)(3231220)(944501244)(52105095)(93006095)(93001095)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041288)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(20161123562045)(20161123558120)(6072148)(201708071742011);SRVR:MWHSPR01MB344;BCL:0;PCL:0;RULEID:;SRVR:MWHSPR01MB344; x-forefront-prvs: 0600F93FE1 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(396003)(376002)(346002)(39860400002)(366004)(39380400002)(189003)(199004)(59450400001)(8676002)(5660300001)(5250100002)(2501003)(6506007)(575784001)(7736002)(36756003)(25786009)(3846002)(6116002)(97736004)(305945005)(2900100001)(76176011)(6436002)(10090500001)(26005)(8936002)(186003)(81166006)(102836004)(81156014)(106356001)(86362001)(10290500003)(3660700001)(2906002)(99286004)(14454004)(86612001)(105586002)(478600001)(4326008)(6486002)(53936002)(107886003)(68736007)(316002)(54906003)(110136005)(6512007)(72206003)(3280700002)(22452003)(2950100002)(1076002)(66066001)(22906009)(217873001);DIR:OUT;SFP:1102;SCL:1;SRVR:MWHSPR01MB344;H:MW2PR2101MB1034.namprd21.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: R7+t7G+bRARs1sFLpgrhgX2hm6gmxD1EzO8AROJ9kfpdK8tbObFLikiQNadDTY6TI522ulG8MI3pqjh1ZSFQEseLX67tch9UN9XmaKNOIKk+fMkkgR5Xo95BH/pzZ+7qNTdcHlnaO/cv/abLqUDqQhl3xT3PL39QxpbR1/tjsy4= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-Network-Message-Id: a4e6cded-6451-42b4-6ecc-08d58157d2a7 X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2018 22:31:58.3083 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHSPR01MB344 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mimi Zohar [ Upstream commit b7e27bc1d42e8e0cc58b602b529c25cd0071b336 ] Custom policies can require file signatures based on LSM labels. These files are normally created and only afterwards labeled, requiring them to be signed. Instead of requiring file signatures based on LSM labels, entire filesystems could require file signatures. In this case, we need the ability of writing new files without requiring file signatures. The definition of a "new" file was originally defined as any file with a length of zero. Subsequent patches redefined a "new" file to be based on the FILE_CREATE open flag. By combining the open flag with a file size of zero, this patch relaxes the file signature requirement. Fixes: 1ac202e978e1 ima: accept previously set IMA_NEW_FILE Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin --- security/integrity/ima/ima_appraise.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima= /ima_appraise.c index 19014293f927..8da7c91b725d 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -206,7 +206,8 @@ int ima_appraise_measurement(int func, struct integrity= _iint_cache *iint, if (opened & FILE_CREATED) iint->flags |=3D IMA_NEW_FILE; if ((iint->flags & IMA_NEW_FILE) && - !(iint->flags & IMA_DIGSIG_REQUIRED)) + (!(iint->flags & IMA_DIGSIG_REQUIRED) || + (inode->i_size =3D=3D 0))) status =3D INTEGRITY_PASS; goto out; } --=20 2.14.1