Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 91034255e42f6026bafb8e8e2b707eb937104bc8
commit91034255e42f6026bafb8e8e2b707eb937104bc8[log] [tgz]
authorDaniel Glöckner <dg@emlix.com>Fri Feb 24 15:05:14 2017 +0100
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>Thu May 25 15:44:34 2017 +0200
treecd99774bb9933a31c15e0d0c1fccd18650bd1731
parentce7146cf9bdf490b9380af2a5d60bc65c68dbcb9 [diff]
ima: accept previously set IMA_NEW_FILE

commit 1ac202e978e18f045006d75bd549612620c6ec3a upstream.

Modifying the attributes of a file makes ima_inode_post_setattr reset
the IMA cache flags. So if the file, which has just been created,
is opened a second time before the first file descriptor is closed,
verification fails since the security.ima xattr has not been written
yet. We therefore have to look at the IMA_NEW_FILE even if the file
already existed.

With this patch there should no longer be an error when cat tries to
open testfile:

$ rm -f testfile
$ ( echo test >&3 ; touch testfile ; cat testfile ) 3>testfile

A file being new is no reason to accept that it is missing a digital
signature demanded by the policy.

Signed-off-by: Daniel Glöckner <dg@emlix.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 file changed
tree: cd99774bb9933a31c15e0d0c1fccd18650bd1731
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitattributes
  26. .gitignore
  27. .mailmap
  28. COPYING
  29. CREDITS
  30. Kbuild
  31. Kconfig
  32. MAINTAINERS
  33. Makefile
  34. README
  35. REPORTING-BUGS