Patch "ima: relax requiring a file signature for new files with zero length" has been added to the 4.15-stable tree - Linux-stable-mirror

16 Mar 2018

This is a note to let you know that I've just added the patch titled
ima: relax requiring a file signature for new files with zero length
to the 4.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git%3Ba=su...
The filename of the patch is:
     ima-relax-requiring-a-file-signature-for-new-files-with-zero-length.patch
and it can be found in the queue-4.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let stable@vger.kernel.org know about it.
...
From foo@baz Fri Mar 16 15:11:08 CET 2018
From: Mimi Zohar zohar@linux.vnet.ibm.com
Date: Wed, 8 Nov 2017 07:38:28 -0500
Subject: ima: relax requiring a file signature for new files with zero length
From: Mimi Zohar zohar@linux.vnet.ibm.com
[ Upstream commit b7e27bc1d42e8e0cc58b602b529c25cd0071b336 ]
Custom policies can require file signatures based on LSM labels.  These
files are normally created and only afterwards labeled, requiring them
to be signed.
Instead of requiring file signatures based on LSM labels, entire
filesystems could require file signatures.  In this case, we need the
ability of writing new files without requiring file signatures.
The definition of a "new" file was originally defined as any file with
a length of zero.  Subsequent patches redefined a "new" file to be based
on the FILE_CREATE open flag.  By combining the open flag with a file
size of zero, this patch relaxes the file signature requirement.
Fixes: 1ac202e978e1 ima: accept previously set IMA_NEW_FILE
Signed-off-by: Mimi Zohar zohar@linux.vnet.ibm.com
Signed-off-by: Sasha Levin alexander.levin@microsoft.com
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
---
 security/integrity/ima/ima_appraise.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -223,7 +223,8 @@ int ima_appraise_measurement(enum ima_ho
    	if (opened & FILE_CREATED)
    		iint->flags |= IMA_NEW_FILE;
    	if ((iint->flags & IMA_NEW_FILE) &&
-		    !(iint->flags & IMA_DIGSIG_REQUIRED))
+		    (!(iint->flags & IMA_DIGSIG_REQUIRED) ||
+		     (inode->i_size == 0)))
    		status = INTEGRITY_PASS;
    	goto out;
    }
Patches currently in stable-queue which might be from zohar@linux.vnet.ibm.com are
queue-4.15/ima-relax-requiring-a-file-signature-for-new-files-with-zero-length.patch

    