• Daniel Glöckner's avatar
    ima: accept previously set IMA_NEW_FILE · b297f0a2
    Daniel Glöckner authored
    commit 1ac202e9 upstream.
    
    Modifying the attributes of a file makes ima_inode_post_setattr reset
    the IMA cache flags. So if the file, which has just been created,
    is opened a second time before the first file descriptor is closed,
    verification fails since the security.ima xattr has not been written
    yet. We therefore have to look at the IMA_NEW_FILE even if the file
    already existed.
    
    With this patch there should no longer be an error when cat tries to
    open testfile:
    
    $ rm -f testfile
    $ ( echo test >&3 ; touch testfile ; cat testfile ) 3>testfile
    
    A file being new is no reason to accept that it is missing a digital
    signature demanded by the policy.
    Signed-off-by: default avatarDaniel Glöckner <dg@emlix.com>
    Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
    Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
    b297f0a2
ima_appraise.c 9.53 KB