Skip to content

L
linux
Commit 20267e45 authored by Mimi Zohar's avatar Mimi Zohar Committed by Luis Henriques
Browse files
Options

evm: labeling pseudo filesystems exception 

commit 5101a185 upstream.

To prevent offline stripping of existing file xattrs and relabeling of
them at runtime, EVM allows only newly created files to be labeled.  As
pseudo filesystems are not persistent, stripping of xattrs is not a
concern.

Some LSMs defer file labeling on pseudo filesystems.  This patch
permits the labeling of existing files on pseudo files systems.
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
[ luis: backported to 3.16:
  - added magic.h header file ]
Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
parent 9760c0f9
Hide whitespace changes
Inline Side-by-side
Showing with 12 additions and 0 deletions
security/integrity/evm/evm_main.c
View file @ 20267e45
......@@ -22,6 +22,7 @@
#include <linux/xattr.h>
#include <linux/integrity.h>
#include <linux/evm.h>
#include <linux/magic.h>
#include <crypto/hash.h>
#include "evm.h"
......@@ -290,6 +291,17 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
iint = integrity_iint_find(dentry->d_inode);
if (iint && (iint->flags & IMA_NEW_FILE))
return 0;
/* exception for pseudo filesystems */
if (dentry->d_inode->i_sb->s_magic == TMPFS_MAGIC
|| dentry->d_inode->i_sb->s_magic == SYSFS_MAGIC)
return 0;
integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
dentry->d_inode, dentry->d_name.name,
"update_metadata",
integrity_status_msg[evm_status],
-EPERM, 0);
}
out:
if (evm_status != INTEGRITY_PASS)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7