Received: by 10.223.185.116 with SMTP id b49csp1094350wrg; Sat, 3 Mar 2018 15:23:10 -0800 (PST) X-Google-Smtp-Source: AG47ELsTCmfMPewvXlW5zO3C2tig7iwICYacIFfZV1jhVAkYMkHQTbVDmGPKb9IO2InOAK27xvab X-Received: by 2002:a17:902:b606:: with SMTP id b6-v6mr8769344pls.93.1520119390322; Sat, 03 Mar 2018 15:23:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520119390; cv=none; d=google.com; s=arc-20160816; b=RxVcb/fjfUaKho0OJTvoSOjLAyq1sb+5gujX3aUZDYum7MAwIZ838fTabk1dv4N2Nu 0tXuLJep6kZSYJxT8k1Q+jXkvAfsTJ14UsOy00Hqk5DG3RObcsIowhmgOtg5uBa9hTyx uUL/9YXnT1WPItwHXmXehyO5IXFpLqJW2+XT4BXsf6jTy1odnxdSqs6OS0/kgRMxynya qTch+o6h+jfABm60Me0bHVFIp3CYGWSpkRCKMrsShKZvwAMSY95xmpgslsoadc1zuSao owK2S83yExVUpvXeZp4N9kF8sSOiB85c76ejxZRvMHNDy7zXunh13R0Ju8P8nfODOTk3 xpcg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :spamdiagnosticmetadata:spamdiagnosticoutput:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=KYv0D/EJhatNrCdNYgA3KBFvi8erqJsMB/uCJM2EEFA=; b=ob1uC7x22pCUArZgXfhEG4ng4WmdTuHNt1wZYTGH7liUfT9rfZSy5Y4z6tzp0cPmEn +FXJMBEeEgEGTC8F0HzAT4uIuFYNKcW1/jxwEmfugQm3fwRwSjoryc8WsMryCvGi1mRN 94fbMZi0noH3OSxy0QSFg9RtUrLJ69YAhgXL/6wfw4ebsXjs37Zn48VLEYSCM42eo41Q I0PBjJ4jSEjFv2Mz+0fLPN+7r3RsXQSXFSkx5+2YNRC5t5pXuM/72eKuhBZJPLC+C1Nj V/Q/XIkAUBqgeV2C9FXIMz3cklTWd6ate4N3evEe4QpZX83h4lqrFHVscuuhvo4ASm2S DZ9A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=XLQ2ikYg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 38-v6si6974050pld.47.2018.03.03.15.22.56; Sat, 03 Mar 2018 15:23:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=XLQ2ikYg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934033AbeCCXWX (ORCPT + 99 others); Sat, 3 Mar 2018 18:22:23 -0500 Received: from mail-co1nam03on0134.outbound.protection.outlook.com ([104.47.40.134]:45128 "EHLO NAM03-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S934768AbeCCWhy (ORCPT ); Sat, 3 Mar 2018 17:37:54 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=KYv0D/EJhatNrCdNYgA3KBFvi8erqJsMB/uCJM2EEFA=; b=XLQ2ikYgohXuncjWirGW4rgD/iwT2nw9iQaj5bgEPejuWF/h4gPUiVEvDBJx/TyPQo2LG3O39zC3Onvcvy3pkHTna3vOp0DdFko1oUH0gJvTadGBgecTkntDtBWWu716WlQKzo+XKB6rUZfCDhh6SxRfYb2FxznQ3J7FWFFzpm8= Received: from MW2PR2101MB1034.namprd21.prod.outlook.com (52.132.149.10) by MW2PR2101MB1100.namprd21.prod.outlook.com (52.132.149.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.567.2; Sat, 3 Mar 2018 22:37:51 +0000 Received: from MW2PR2101MB1034.namprd21.prod.outlook.com ([fe80::1d56:338f:e2b:cec0]) by MW2PR2101MB1034.namprd21.prod.outlook.com ([fe80::1d56:338f:e2b:cec0%3]) with mapi id 15.20.0567.006; Sat, 3 Mar 2018 22:37:51 +0000 From: Sasha Levin To: "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" CC: Mimi Zohar , Sasha Levin Subject: [PATCH AUTOSEL for 4.9 219/219] ima: relax requiring a file signature for new files with zero length Thread-Topic: [PATCH AUTOSEL for 4.9 219/219] ima: relax requiring a file signature for new files with zero length Thread-Index: AQHTsz8sJL2jPdDcjUyzKob9eEMMxQ== Date: Sat, 3 Mar 2018 22:30:03 +0000 Message-ID: <20180303222716.26640-219-alexander.levin@microsoft.com> References: <20180303222716.26640-1-alexander.levin@microsoft.com> In-Reply-To: <20180303222716.26640-1-alexander.levin@microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [52.168.54.252] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;MW2PR2101MB1100;7:7Ska4rohhWVIJfORRmFJRTnYWVWTL+mjpTDARMYPtUe9M/cBMLxaLdavMsHKY07DS7KEZdufoTJN1iHPWJ51POwjUaUEglYfDJFk/EPf8BUMRKz8IEPDAvFv9tt3pNWZIAacav9aiwmjMwTfgY4JPNj3Lhcolbt86wM8o9gx4NGFjTwUQmYaaVAqjAQuZF/2m4mY1yKQ6XO4B+PIpmYpD87KK5Y6JMKV4m8bdobYObdo7dpGRul4LQXhtOqZ3tF/ x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 1c2e98ea-8853-4cb7-e660-08d5815765f2 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7193020);SRVR:MW2PR2101MB1100; x-ms-traffictypediagnostic: MW2PR2101MB1100: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Alexander.Levin@microsoft.com; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(28532068793085)(89211679590171)(192374486261705)(104084551191319); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(61425038)(6040501)(2401047)(5005006)(8121501046)(10201501046)(3002001)(3231220)(944501244)(52105095)(93006095)(93001095)(6055026)(61426038)(61427038)(6041288)(20161123560045)(20161123558120)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(6072148)(201708071742011);SRVR:MW2PR2101MB1100;BCL:0;PCL:0;RULEID:;SRVR:MW2PR2101MB1100; x-forefront-prvs: 0600F93FE1 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(39380400002)(376002)(39860400002)(396003)(366004)(346002)(199004)(189003)(22452003)(97736004)(7736002)(5250100002)(105586002)(2906002)(6506007)(72206003)(66066001)(59450400001)(4326008)(305945005)(10290500003)(186003)(3280700002)(102836004)(2950100002)(6666003)(2501003)(478600001)(26005)(2900100001)(10090500001)(53936002)(8676002)(25786009)(81166006)(81156014)(575784001)(54906003)(86362001)(6436002)(106356001)(110136005)(68736007)(36756003)(316002)(6512007)(5660300001)(107886003)(8936002)(1076002)(6486002)(3660700001)(99286004)(76176011)(3846002)(86612001)(14454004)(6116002)(22906009)(217873001);DIR:OUT;SFP:1102;SCL:1;SRVR:MW2PR2101MB1100;H:MW2PR2101MB1034.namprd21.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: PFuVDgqzI9A650TGDShWblAV5cCOKAQBg5bHA7jCHD2RvLmlipTzSB2mH0+yAg6fTYa9dYLkwIUwq5OXrjEo0iX5LsNpdTAMciOAuyszs6F0WuAaVMx7zJ8iKCfhZmQ8r6Nyk30UfFwWUHB6/74yMG5CgoLeEBn6+QZ2SVrYN54= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1c2e98ea-8853-4cb7-e660-08d5815765f2 X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2018 22:30:03.7758 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR2101MB1100 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mimi Zohar [ Upstream commit b7e27bc1d42e8e0cc58b602b529c25cd0071b336 ] Custom policies can require file signatures based on LSM labels. These files are normally created and only afterwards labeled, requiring them to be signed. Instead of requiring file signatures based on LSM labels, entire filesystems could require file signatures. In this case, we need the ability of writing new files without requiring file signatures. The definition of a "new" file was originally defined as any file with a length of zero. Subsequent patches redefined a "new" file to be based on the FILE_CREATE open flag. By combining the open flag with a file size of zero, this patch relaxes the file signature requirement. Fixes: 1ac202e978e1 ima: accept previously set IMA_NEW_FILE Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin --- security/integrity/ima/ima_appraise.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima= /ima_appraise.c index 6830d2427e47..7bf8b005a178 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -207,7 +207,8 @@ int ima_appraise_measurement(enum ima_hooks func, if (opened & FILE_CREATED) iint->flags |=3D IMA_NEW_FILE; if ((iint->flags & IMA_NEW_FILE) && - !(iint->flags & IMA_DIGSIG_REQUIRED)) + (!(iint->flags & IMA_DIGSIG_REQUIRED) || + (inode->i_size =3D=3D 0))) status =3D INTEGRITY_PASS; goto out; } --=20 2.14.1