Received: by 10.213.65.68 with SMTP id h4csp1785011imn; Mon, 19 Mar 2018 13:11:49 -0700 (PDT) X-Google-Smtp-Source: AG47ELvQ7XbcvJYyg2De0wLBgDcriV+0P4a9W2WP4jA+HGa0cUKWfIkFMnoouX8pdZeNNBjRsgkg X-Received: by 10.99.117.92 with SMTP id f28mr10191444pgn.421.1521490309631; Mon, 19 Mar 2018 13:11:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521490309; cv=none; d=google.com; s=arc-20160816; b=yK4j30ZvmNzfaBRA2CakMwOvSoUz7Nor0tmJ81jvPNiWKeBtPr4QncevyjqwrkDPDi glOjBRmOEwSR6V5zissFb4CBcvp1RGzx8Na2N7tRBHC5P1R09qF8Foogw3gB62IWSlZ3 4w+qGkBQxAjMWhrlpwScWiw7q7H2B3kvLuWdpp9CGlHatn/CKVBgvhHe9p7v9yCiY/Od cY0dB+3lgJuUF2N7Ctitcg6Mn8FP8yrEblimpbqdB9rZC0giWQwdPmWLEVPi99VoczxH ULGuL1Lf24aHTJc/RHH8PxK09cVBo5vrjW1AbJzh++1zTcaiZr4QyDMktPBeRegmEz19 uuEg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=DdBVoic6yR7xEj2GrNDrixUl5JsghFoMcRq0p9gbTL8=; b=Malap2KDjP1pGD28MbrTa9R9mxoNJrkpDCbPiTpFCde95jyxcqmS6rVZgT1v4KExNU JvfHLFy2tcuaNn01tA4DidYIvNCnjTZrTDhe2Pesr+rs3pWVSUN8cgVll36Gm6IqX1TC AQh4C1HnHGJHSHryz0n7El7idQyzjhZ9u0fAWYTXqD3XDSre8N+ERMNW0qbvocURuS3V l81Cg5ERJAcTxtkrTxIiW7pZh8V4iD7HYr+sFumF46e3hR18/xdk7wzNnI2c0T6Jqpmv huwxXo3fIM04TtesGndV/VKG7fN56Q1bxz3CnzHrcENAlUHvlIBxN6bd8qvEhzQdtQY4 5gbA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g8-v6si20585plm.120.2018.03.19.13.11.35; Mon, 19 Mar 2018 13:11:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S971066AbeCSUJ5 (ORCPT + 99 others); Mon, 19 Mar 2018 16:09:57 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:45386 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1030919AbeCSSQ5 (ORCPT ); Mon, 19 Mar 2018 14:16:57 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 0B8D2FA8; Mon, 19 Mar 2018 18:16:56 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mimi Zohar , Sasha Levin Subject: [PATCH 4.4 109/134] ima: relax requiring a file signature for new files with zero length Date: Mon, 19 Mar 2018 19:06:32 +0100 Message-Id: <20180319171905.020768938@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180319171849.024066323@linuxfoundation.org> References: <20180319171849.024066323@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Mimi Zohar [ Upstream commit b7e27bc1d42e8e0cc58b602b529c25cd0071b336 ] Custom policies can require file signatures based on LSM labels. These files are normally created and only afterwards labeled, requiring them to be signed. Instead of requiring file signatures based on LSM labels, entire filesystems could require file signatures. In this case, we need the ability of writing new files without requiring file signatures. The definition of a "new" file was originally defined as any file with a length of zero. Subsequent patches redefined a "new" file to be based on the FILE_CREATE open flag. By combining the open flag with a file size of zero, this patch relaxes the file signature requirement. Fixes: 1ac202e978e1 ima: accept previously set IMA_NEW_FILE Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- security/integrity/ima/ima_appraise.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -206,7 +206,8 @@ int ima_appraise_measurement(int func, s if (opened & FILE_CREATED) iint->flags |= IMA_NEW_FILE; if ((iint->flags & IMA_NEW_FILE) && - !(iint->flags & IMA_DIGSIG_REQUIRED)) + (!(iint->flags & IMA_DIGSIG_REQUIRED) || + (inode->i_size == 0))) status = INTEGRITY_PASS; goto out; }