Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / mainline / linux / 1ac202e978e18f045006d75bd549612620c6ec3a
commit1ac202e978e18f045006d75bd549612620c6ec3a[log] [tgz]
authorDaniel Glöckner <dg@emlix.com>Fri Feb 24 15:05:14 2017 +0100
committerMimi Zohar <zohar@linux.vnet.ibm.com>Tue Mar 07 07:06:10 2017 -0500
tree2ba303f2bf2a26ecc6defdd021696154f0b47869
parentbad4417b692ede5cf31105b329cea1544875b526 [diff]
ima: accept previously set IMA_NEW_FILE

Modifying the attributes of a file makes ima_inode_post_setattr reset
the IMA cache flags. So if the file, which has just been created,
is opened a second time before the first file descriptor is closed,
verification fails since the security.ima xattr has not been written
yet. We therefore have to look at the IMA_NEW_FILE even if the file
already existed.

With this patch there should no longer be an error when cat tries to
open testfile:

$ rm -f testfile
$ ( echo test >&3 ; touch testfile ; cat testfile ) 3>testfile

A file being new is no reason to accept that it is missing a digital
signature demanded by the policy.

Signed-off-by: Daniel Glöckner <dg@emlix.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
1 file changed
tree: 2ba303f2bf2a26ecc6defdd021696154f0b47869
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitattributes
  26. .gitignore
  27. .mailmap
  28. COPYING
  29. CREDITS
  30. Kbuild
  31. Kconfig
  32. MAINTAINERS
  33. Makefile
  34. README