tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

ima: provide flag to identify new empty files

On ima_file_free(), newly created empty files are not labeled with
an initial security.ima value, because the iversion did not change.
Commit dff6efc "fs: fix iversion handling" introduced a change in
iversion behavior. To verify this change use the shell command:

$ (exec >foo)
$ getfattr -h -e hex -d -m security foo

This patch defines the IMA_NEW_FILE flag. The flag is initially
set, when IMA detects that a new file is created, and subsequently
checked on the ima_file_free() hook to set the initial security.ima
value.

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: <stable@vger.kernel.org> 3.14+

authored by

Dmitry Kasatkin and committed by
Mimi Zohar b151d6b0 1f100979

+13 -7
+5 -2
security/integrity/ima/ima_appraise.c
··· 202 202 goto out; 203 203 204 204 cause = "missing-hash"; 205 - status = 206 - (inode->i_size == 0) ? INTEGRITY_PASS : INTEGRITY_NOLABEL; 205 + status = INTEGRITY_NOLABEL; 206 + if (inode->i_size == 0) { 207 + iint->flags |= IMA_NEW_FILE; 208 + status = INTEGRITY_PASS; 209 + } 207 210 goto out; 208 211 } 209 212
+7 -5
security/integrity/ima/ima_main.c
··· 124 124 return; 125 125 126 126 mutex_lock(&inode->i_mutex); 127 - if (atomic_read(&inode->i_writecount) == 1 && 128 - iint->version != inode->i_version) { 129 - iint->flags &= ~IMA_DONE_MASK; 130 - if (iint->flags & IMA_APPRAISE) 131 - ima_update_xattr(iint, file); 127 + if (atomic_read(&inode->i_writecount) == 1) { 128 + if ((iint->version != inode->i_version) || 129 + (iint->flags & IMA_NEW_FILE)) { 130 + iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE); 131 + if (iint->flags & IMA_APPRAISE) 132 + ima_update_xattr(iint, file); 133 + } 132 134 } 133 135 mutex_unlock(&inode->i_mutex); 134 136 }
+1
security/integrity/integrity.h
··· 31 31 #define IMA_DIGSIG 0x01000000 32 32 #define IMA_DIGSIG_REQUIRED 0x02000000 33 33 #define IMA_PERMIT_DIRECTIO 0x04000000 34 + #define IMA_NEW_FILE 0x08000000 34 35 35 36 #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \ 36 37 IMA_APPRAISE_SUBMASK)