Re: [PATCH] Revert "ima: limit file hash setting by user to fix and log modes"

On Thu, May 31, 2018 at 08:42:31PM +0300, Mike Rapoport wrote:

Hi,

On a system that has IMA appraisal enabled it is impossible to create security.ima extended attribute files that contain IMA hash.

For instance, consider the following use case:

1. extract application files to a staging area as non root user
2. verify that installation is correct
3. create IMA extended attributes for the installed files
4. move the files to their destination
5. change the files ownership to root

With the longterm kernels 4.4.x and 4.9.x step 3 will fail.

The issues is fixed in upstream kernels by the commit f5acb3dcba1ffb7f0b8cbb9dba61500eea5d610b ("Revert "ima: limit file hash setting by user to fix and log modes"), with the patch also quoted below.

Now queued up, thanks.

greg k-h