git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Mimi Zohar <zohar@linux.vnet.ibm.com>
	Wed, 8 Nov 2017 12:38:28 +0000 (07:38 -0500)
committer	Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
	Mon, 19 Mar 2018 23:42:18 +0000 (20:42 -0300)
commit	f29ef6776eb3cbe67c7c36c88d713c73893b5fe9
tree	e0d6c921904654726062b748c3b713c80dbe61a8	tree
parent	d8413a157be48883f1a2fbd83efc857a4f95e0fb	commit \| diff

ima: relax requiring a file signature for new files with zero length

BugLink: http://bugs.launchpad.net/bugs/1756978
[ Upstream commit b7e27bc1d42e8e0cc58b602b529c25cd0071b336 ]

Custom policies can require file signatures based on LSM labels.  These
files are normally created and only afterwards labeled, requiring them
to be signed.

Instead of requiring file signatures based on LSM labels, entire
filesystems could require file signatures.  In this case, we need the
ability of writing new files without requiring file signatures.

The definition of a "new" file was originally defined as any file with
a length of zero.  Subsequent patches redefined a "new" file to be based
on the FILE_CREATE open flag.  By combining the open flag with a file
size of zero, this patch relaxes the file signature requirement.

Fixes: 1ac202e978e1 ima: accept previously set IMA_NEW_FILE
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>