• Mimi Zohar's avatar
    ima: add support for creating files using the mknodat syscall · 05d1a717
    Mimi Zohar authored
    Commit 3034a146 "ima: pass 'opened' flag to identify newly created files"
    stopped identifying empty files as new files.  However new empty files
    can be created using the mknodat syscall.  On systems with IMA-appraisal
    enabled, these empty files are not labeled with security.ima extended
    attributes properly, preventing them from subsequently being opened in
    order to write the file data contents.  This patch defines a new hook
    named ima_post_path_mknod() to mark these empty files, created using
    mknodat, as new in order to allow the file data contents to be written.
    
    In addition, files with security.ima xattrs containing a file signature
    are considered "immutable" and can not be modified.  The file contents
    need to be written, before signing the file.  This patch relaxes this
    requirement for new files, allowing the file signature to be written
    before the file contents.
    
    Changelog:
    - defer identifying files with signatures stored as security.ima
      (based on Dmitry Rozhkov's comments)
    - removing tests (eg. dentry, dentry->d_inode, inode->i_size == 0)
      (based on Al's review)
    Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
    Cc: Al Viro <<viro@zeniv.linux.org.uk>
    Tested-by: default avatarDmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
    05d1a717
ima_main.c 11.4 KB