Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

ima: provide flag to identify new empty files

On ima_file_free(), newly created empty files are not labeled with
an initial security.ima value, because the iversion did not change.
Commit dff6efc "fs: fix iversion handling" introduced a change in
iversion behavior.  To verify this change use the shell command:

  $ (exec >foo)
  $ getfattr -h -e hex -d -m security foo

This patch defines the IMA_NEW_FILE flag.  The flag is initially
set, when IMA detects that a new file is created, and subsequently
checked on the ima_file_free() hook to set the initial security.ima
value.

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: <stable@vger.kernel.org>  3.14+
Dmitry Kasatkin 11 years ago
parent
1f1009791b
commit
b151d6b00b
3 changed files with 13 additions and 7 deletions
Unified View Show Diff Stats
  1. 5 2
      security/integrity/ima/ima_appraise.c
  2. 7 5
      security/integrity/ima/ima_main.c
  3. 1 0
      security/integrity/integrity.h

+ 5 - 2
security/integrity/ima/ima_appraise.c
View File 

@@ -202,8 +202,11 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
 
 			goto out;
 
 			goto out;
 
 
 
 		cause = "missing-hash";
 
 		cause = "missing-hash";
 
-		status =
 
-		    (inode->i_size == 0) ? INTEGRITY_PASS : INTEGRITY_NOLABEL;
 
+		status = INTEGRITY_NOLABEL;
 
+		if (inode->i_size == 0) {
 
+			iint->flags |= IMA_NEW_FILE;
 
+			status = INTEGRITY_PASS;
 
+		}
 
 		goto out;
 
 		goto out;
 
 	}
 
 	}

+ 7 - 5
security/integrity/ima/ima_main.c
View File 

@@ -124,11 +124,13 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
 
 		return;
 
 		return;
 
 
 
 	mutex_lock(&inode->i_mutex);
 
 	mutex_lock(&inode->i_mutex);
 
-	if (atomic_read(&inode->i_writecount) == 1 &&
 
-	    iint->version != inode->i_version) {
 
-		iint->flags &= ~IMA_DONE_MASK;
 
-		if (iint->flags & IMA_APPRAISE)
 
-			ima_update_xattr(iint, file);
 
+	if (atomic_read(&inode->i_writecount) == 1) {
 
+		if ((iint->version != inode->i_version) ||
 
+		    (iint->flags & IMA_NEW_FILE)) {
 
+			iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
 
+			if (iint->flags & IMA_APPRAISE)
 
+				ima_update_xattr(iint, file);
 
+		}
 
 	}
 
 	}
 
 	mutex_unlock(&inode->i_mutex);
 
 	mutex_unlock(&inode->i_mutex);
 
 }
 
 }

+ 1 - 0
security/integrity/integrity.h
View File 

@@ -31,6 +31,7 @@
 
 #define IMA_DIGSIG		0x01000000
 
 #define IMA_DIGSIG		0x01000000
 
 #define IMA_DIGSIG_REQUIRED	0x02000000
 
 #define IMA_DIGSIG_REQUIRED	0x02000000
 
 #define IMA_PERMIT_DIRECTIO	0x04000000
 
 #define IMA_PERMIT_DIRECTIO	0x04000000
 
+#define IMA_NEW_FILE		0x08000000
 
 
 
 #define IMA_DO_MASK		(IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
 
 #define IMA_DO_MASK		(IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
 
 				 IMA_APPRAISE_SUBMASK)
 
 				 IMA_APPRAISE_SUBMASK)