aboutsummaryrefslogtreecommitdiffstats
path: root/security/integrity
diff options
context:
space:
mode:
authorDmitry Kasatkin <d.kasatkin@samsung.com>2014-06-27 11:04:27 -0400
committerMimi Zohar <zohar@linux.vnet.ibm.com>2014-09-08 17:38:57 -0400
commitb151d6b00bbb798c58f2f21305e7d43fa763f34f (patch)
tree3a10265d73d01f900860aa9e7e1faa5c4eab4f4d /security/integrity
parent1f1009791b2e81f106d4809007720495ba3ed90c (diff)
ima: provide flag to identify new empty files
On ima_file_free(), newly created empty files are not labeled with an initial security.ima value, because the iversion did not change. Commit dff6efc "fs: fix iversion handling" introduced a change in iversion behavior. To verify this change use the shell command: $ (exec >foo) $ getfattr -h -e hex -d -m security foo This patch defines the IMA_NEW_FILE flag. The flag is initially set, when IMA detects that a new file is created, and subsequently checked on the ima_file_free() hook to set the initial security.ima value. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: <stable@vger.kernel.org> 3.14+
Diffstat (limited to 'security/integrity')
-rw-r--r--security/integrity/ima/ima_appraise.c7
-rw-r--r--security/integrity/ima/ima_main.c12
-rw-r--r--security/integrity/integrity.h1
3 files changed, 13 insertions, 7 deletions
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 86bfd5c5df85..a4605d677248 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -202,8 +202,11 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
202 goto out; 202 goto out;
203 203
204 cause = "missing-hash"; 204 cause = "missing-hash";
205 status = 205 status = INTEGRITY_NOLABEL;
206 (inode->i_size == 0) ? INTEGRITY_PASS : INTEGRITY_NOLABEL; 206 if (inode->i_size == 0) {
207 iint->flags |= IMA_NEW_FILE;
208 status = INTEGRITY_PASS;
209 }
207 goto out; 210 goto out;
208 } 211 }
209 212
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 2917f980bf30..0a2298f90c9c 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -124,11 +124,13 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
124 return; 124 return;
125 125
126 mutex_lock(&inode->i_mutex); 126 mutex_lock(&inode->i_mutex);
127 if (atomic_read(&inode->i_writecount) == 1 && 127 if (atomic_read(&inode->i_writecount) == 1) {
128 iint->version != inode->i_version) { 128 if ((iint->version != inode->i_version) ||
129 iint->flags &= ~IMA_DONE_MASK; 129 (iint->flags & IMA_NEW_FILE)) {
130 if (iint->flags & IMA_APPRAISE) 130 iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
131 ima_update_xattr(iint, file); 131 if (iint->flags & IMA_APPRAISE)
132 ima_update_xattr(iint, file);
133 }
132 } 134 }
133 mutex_unlock(&inode->i_mutex); 135 mutex_unlock(&inode->i_mutex);
134} 136}
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 19b8e314ca96..904e68abd49e 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -31,6 +31,7 @@
31#define IMA_DIGSIG 0x01000000 31#define IMA_DIGSIG 0x01000000
32#define IMA_DIGSIG_REQUIRED 0x02000000 32#define IMA_DIGSIG_REQUIRED 0x02000000
33#define IMA_PERMIT_DIRECTIO 0x04000000 33#define IMA_PERMIT_DIRECTIO 0x04000000
34#define IMA_NEW_FILE 0x08000000
34 35
35#define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \ 36#define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
36 IMA_APPRAISE_SUBMASK) 37 IMA_APPRAISE_SUBMASK)