linux-hardened/security
Mimi Zohar 05d1a717ec ima: add support for creating files using the mknodat syscall
Commit 3034a14 "ima: pass 'opened' flag to identify newly created files"
stopped identifying empty files as new files.  However new empty files
can be created using the mknodat syscall.  On systems with IMA-appraisal
enabled, these empty files are not labeled with security.ima extended
attributes properly, preventing them from subsequently being opened in
order to write the file data contents.  This patch defines a new hook
named ima_post_path_mknod() to mark these empty files, created using
mknodat, as new in order to allow the file data contents to be written.

In addition, files with security.ima xattrs containing a file signature
are considered "immutable" and can not be modified.  The file contents
need to be written, before signing the file.  This patch relaxes this
requirement for new files, allowing the file signature to be written
before the file contents.

Changelog:
- defer identifying files with signatures stored as security.ima
  (based on Dmitry Rozhkov's comments)
- removing tests (eg. dentry, dentry->d_inode, inode->i_size == 0)
  (based on Al's review)

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Al Viro <<viro@zeniv.linux.org.uk>
Tested-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
2016-05-01 09:23:52 -04:00
..
apparmor apparmor: clarify CRYPTO dependency 2015-10-22 11:11:28 +11:00
integrity ima: add support for creating files using the mknodat syscall 2016-05-01 09:23:52 -04:00
keys Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2016-03-17 11:33:45 -07:00
loadpin LSM: LoadPin for kernel file loading restrictions 2016-04-21 10:47:27 +10:00
selinux TTY/Serial patches for 4.6-rc1 2016-03-17 13:53:25 -07:00
smack smack: fix cache of access labels 2016-02-16 09:56:35 -08:00
tomoyo mm/gup: Introduce get_user_pages_remote() 2016-02-16 10:04:09 +01:00
yama Yama: consolidate error reporting 2016-04-21 10:47:26 +10:00
commoncap.c ptrace: use fsuid, fsgid, effective creds for fs access checks 2016-01-20 17:09:18 -08:00
device_cgroup.c security/device_cgroup: Fix RCU_LOCKDEP_WARN() condition 2015-09-03 18:13:10 -07:00
inode.c wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
Kconfig LSM: LoadPin for kernel file loading restrictions 2016-04-21 10:47:27 +10:00
lsm_audit.c Merge branch 'next' of git://git.infradead.org/users/pcmoore/selinux into next 2015-08-15 13:29:57 +10:00
Makefile LSM: LoadPin for kernel file loading restrictions 2016-04-21 10:47:27 +10:00
min_addr.c
security.c LSM: LoadPin for kernel file loading restrictions 2016-04-21 10:47:27 +10:00