diff options
Diffstat (limited to 'security/integrity')
| -rw-r--r-- | security/integrity/ima/ima_appraise.c | 7 | ||||
| -rw-r--r-- | security/integrity/ima/ima_main.c | 25 | ||||
| -rw-r--r-- | security/integrity/integrity.h | 1 |
3 files changed, 31 insertions, 2 deletions
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 6b4694aedae8..1bcbc12e03d9 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -275,6 +275,11 @@ out: xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { if (!ima_fix_xattr(dentry, iint)) status = INTEGRITY_PASS; + } else if ((inode->i_size == 0) && + (iint->flags & IMA_NEW_FILE) && + (xattr_value && + xattr_value->type == EVM_IMA_XATTR_DIGSIG)) { + status = INTEGRITY_PASS; } integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, op, cause, rc, 0); @@ -328,7 +333,7 @@ void ima_inode_post_setattr(struct dentry *dentry) if (iint) { iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | - IMA_ACTION_FLAGS); + IMA_ACTION_RULE_FLAGS); if (must_appraise) iint->flags |= IMA_APPRAISE; } diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 391f41751021..68b26c340acd 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -246,7 +246,8 @@ static int process_measurement(struct file *file, char *buf, loff_t size, ima_audit_measurement(iint, pathname); out_digsig: - if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG)) + if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) && + !(iint->flags & IMA_NEW_FILE)) rc = -EACCES; kfree(xattr_value); out_free: @@ -316,6 +317,28 @@ int ima_file_check(struct file *file, int mask, int opened) EXPORT_SYMBOL_GPL(ima_file_check); /** + * ima_post_path_mknod - mark as a new inode + * @dentry: newly created dentry + * + * Mark files created via the mknodat syscall as new, so that the + * file data can be written later. + */ +void ima_post_path_mknod(struct dentry *dentry) +{ + struct integrity_iint_cache *iint; + struct inode *inode = dentry->d_inode; + int must_appraise; + + must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); + if (!must_appraise) + return; + + iint = integrity_inode_get(inode); + if (iint) + iint->flags |= IMA_NEW_FILE; +} + +/** * ima_read_file - pre-measure/appraise hook decision based on policy * @file: pointer to the file to be measured/appraised/audit * @read_id: caller identifier diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index e08935cf343f..90bc57d796ec 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -28,6 +28,7 @@ /* iint cache flags */ #define IMA_ACTION_FLAGS 0xff000000 +#define IMA_ACTION_RULE_FLAGS 0x06000000 #define IMA_DIGSIG 0x01000000 #define IMA_DIGSIG_REQUIRED 0x02000000 #define IMA_PERMIT_DIRECTIO 0x04000000 |