[PATCH 3.16.y-ckt 071/118] evm: labeling pseudo filesystems exception
Luis Henriques
luis.henriques at canonical.com
Wed Aug 12 08:56:13 UTC 2015
3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Mimi Zohar <zohar at linux.vnet.ibm.com>
commit 5101a1850bb7ccbf107929dee9af0cd2f400940f upstream.
To prevent offline stripping of existing file xattrs and relabeling of
them at runtime, EVM allows only newly created files to be labeled. As
pseudo filesystems are not persistent, stripping of xattrs is not a
concern.
Some LSMs defer file labeling on pseudo filesystems. This patch
permits the labeling of existing files on pseudo files systems.
Signed-off-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
[ luis: backported to 3.16:
- added magic.h header file ]
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
security/integrity/evm/evm_main.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 970772c731ff..41f32259437c 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -22,6 +22,7 @@
#include <linux/xattr.h>
#include <linux/integrity.h>
#include <linux/evm.h>
+#include <linux/magic.h>
#include <crypto/hash.h>
#include "evm.h"
@@ -290,6 +291,17 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
iint = integrity_iint_find(dentry->d_inode);
if (iint && (iint->flags & IMA_NEW_FILE))
return 0;
+
+ /* exception for pseudo filesystems */
+ if (dentry->d_inode->i_sb->s_magic == TMPFS_MAGIC
+ || dentry->d_inode->i_sb->s_magic == SYSFS_MAGIC)
+ return 0;
+
+ integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
+ dentry->d_inode, dentry->d_name.name,
+ "update_metadata",
+ integrity_status_msg[evm_status],
+ -EPERM, 0);
}
out:
if (evm_status != INTEGRITY_PASS)
More information about the kernel-team
mailing list