Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3034a146 authored Jun 27, 2014 by Dmitry Kasatkin Committed by Mimi Zohar Sep 09, 2014

ima: pass 'opened' flag to identify newly created files



Empty files and missing xattrs do not guarantee that a file was
just created.  This patch passes FILE_CREATED flag to IMA to
reliably identify new files.

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: <stable@vger.kernel.org>  3.14+

parent 3dcbad52

fs/namei.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -3058,7 +3058,7 @@ static int do_last(struct nameidata nd, struct path path,
		error = open_check_o_direct(file);
		if (error)
		goto exit_fput;
		error = ima_file_check(file, op->acc_mode);
		error = ima_file_check(file, op->acc_mode, *opened);
		if (error)
		goto exit_fput;

fs/nfsd/vfs.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -709,7 +709,7 @@ nfsd_open(struct svc_rqst rqstp, struct svc_fh fhp, umode_t type,
		host_err = PTR_ERR(*filp);
		*filp = NULL;
		} else {
		host_err = ima_file_check(*filp, may_flags);
		host_err = ima_file_check(*filp, may_flags, 0);

		if (may_flags & NFSD_MAY_64BIT_COOKIE)
		(*filp)->f_mode \|= FMODE_64BITHASH;

include/linux/ima.h

+2 −2

Original line number	Diff line number	Diff line
		@@ -15,7 +15,7 @@ struct linux_binprm;

		#ifdef CONFIG_IMA
		extern int ima_bprm_check(struct linux_binprm *bprm);
		extern int ima_file_check(struct file *file, int mask);
		extern int ima_file_check(struct file *file, int mask, int opened);
		extern void ima_file_free(struct file *file);
		extern int ima_file_mmap(struct file *file, unsigned long prot);
		extern int ima_module_check(struct file *file);
		@@ -27,7 +27,7 @@ static inline int ima_bprm_check(struct linux_binprm *bprm)
		return 0;
		}

		static inline int ima_file_check(struct file *file, int mask)
		static inline int ima_file_check(struct file *file, int mask, int opened)
		{
		return 0;
		}

security/integrity/ima/ima.h

+2 −2

Original line number	Diff line number	Diff line
		@@ -177,7 +177,7 @@ void ima_delete_rules(void);
		int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
		struct file file, const unsigned char filename,
		struct evm_ima_xattr_data *xattr_value,
		int xattr_len);
		int xattr_len, int opened);
		int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func);
		void ima_update_xattr(struct integrity_iint_cache iint, struct file file);
		enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
		@@ -193,7 +193,7 @@ static inline int ima_appraise_measurement(int func,
		struct file *file,
		const unsigned char *filename,
		struct evm_ima_xattr_data *xattr_value,
		int xattr_len)
		int xattr_len, int opened)
		{
		return INTEGRITY_UNKNOWN;
		}

security/integrity/ima/ima_appraise.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -183,7 +183,7 @@ int ima_read_xattr(struct dentry *dentry,
		int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
		struct file file, const unsigned char filename,
		struct evm_ima_xattr_data *xattr_value,
		int xattr_len)
		int xattr_len, int opened)
		{
		static const char op[] = "appraise_data";
		char *cause = "unknown";
		@@ -203,7 +203,7 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,

		cause = "missing-hash";
		status = INTEGRITY_NOLABEL;
		if (inode->i_size == 0) {
		if (opened & FILE_CREATED) {
		iint->flags \|= IMA_NEW_FILE;
		status = INTEGRITY_PASS;
		}