git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Daniel Glöckner <dg@emlix.com>
	Fri, 24 Feb 2017 14:05:14 +0000 (15:05 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 25 May 2017 13:46:13 +0000 (15:46 +0200)
commit	efa8cd1e2f0ba01ae9477ccf4abe9fd9f7f1d0a7
tree	e5b5fa2d68fe675c406ad154abe689793f65927f	tree
parent	d5811285b5a8d43bbf677931667f2c505b96fa1b	commit \| diff

ima: accept previously set IMA_NEW_FILE

commit 1ac202e978e18f045006d75bd549612620c6ec3a upstream.

Modifying the attributes of a file makes ima_inode_post_setattr reset
the IMA cache flags. So if the file, which has just been created,
is opened a second time before the first file descriptor is closed,
verification fails since the security.ima xattr has not been written
yet. We therefore have to look at the IMA_NEW_FILE even if the file
already existed.

With this patch there should no longer be an error when cat tries to
open testfile:

$ rm -f testfile
$ ( echo test >&3 ; touch testfile ; cat testfile ) 3>testfile

A file being new is no reason to accept that it is missing a digital
signature demanded by the policy.

Signed-off-by: Daniel Glöckner <dg@emlix.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>