From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.kernel.org ([198.145.29.99]:43178 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752036AbeFARJg (ORCPT <rfc822;stable@vger.kernel.org>);
        Fri, 1 Jun 2018 13:09:36 -0400
Date: Fri, 1 Jun 2018 19:09:14 +0200
From: Greg KH <gregkh@linuxfoundation.org>
To: Mike Rapoport <rppt@linux.vnet.ibm.com>
Cc: stable@vger.kernel.org, James Bottomley <jejb@linux.vnet.ibm.com>
Subject: Re: [PATCH] Revert "ima: limit file hash setting by user to fix and
 log modes"
Message-ID: <20180601170914.GC13517@kroah.com>
References: <20180531174231.GA9708@rapoport-lnx>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180531174231.GA9708@rapoport-lnx>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Thu, May 31, 2018 at 08:42:31PM +0300, Mike Rapoport wrote:
> Hi,
> 
> On a system that has IMA appraisal enabled it is impossible to create
> security.ima extended attribute files that contain IMA hash.
> 
> For instance, consider the following use case:
> 
> 1) extract application files to a staging area as non root user
> 2) verify that installation is correct
> 3) create IMA extended attributes for the installed files
> 4) move the files to their destination
> 5) change the files ownership to root
> 
> With the longterm kernels 4.4.x and 4.9.x step 3 will fail.
> 
> The issues is fixed in upstream kernels by the commit
> f5acb3dcba1ffb7f0b8cbb9dba61500eea5d610b ("Revert "ima: limit file hash
> setting by user to fix and log modes"), with the patch also quoted below.

Now queued up, thanks.

greg k-h