Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934783AbbHLJXk (ORCPT ); Wed, 12 Aug 2015 05:23:40 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:60784 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934418AbbHLI6G (ORCPT ); Wed, 12 Aug 2015 04:58:06 -0400 From: Luis Henriques To: linux-kernel@vger.kernel.org, stable@vger.kernel.org, kernel-team@lists.ubuntu.com Cc: Mimi Zohar , Luis Henriques Subject: [PATCH 3.16.y-ckt 071/118] evm: labeling pseudo filesystems exception Date: Wed, 12 Aug 2015 09:56:13 +0100 Message-Id: <1439369820-27005-72-git-send-email-luis.henriques@canonical.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1439369820-27005-1-git-send-email-luis.henriques@canonical.com> References: <1439369820-27005-1-git-send-email-luis.henriques@canonical.com> X-Extended-Stable: 3.16 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2054 Lines: 59 3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know. ------------------ From: Mimi Zohar commit 5101a1850bb7ccbf107929dee9af0cd2f400940f upstream. To prevent offline stripping of existing file xattrs and relabeling of them at runtime, EVM allows only newly created files to be labeled. As pseudo filesystems are not persistent, stripping of xattrs is not a concern. Some LSMs defer file labeling on pseudo filesystems. This patch permits the labeling of existing files on pseudo files systems. Signed-off-by: Mimi Zohar [ luis: backported to 3.16: - added magic.h header file ] Signed-off-by: Luis Henriques --- security/integrity/evm/evm_main.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 970772c731ff..41f32259437c 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -22,6 +22,7 @@ #include #include #include +#include #include #include "evm.h" @@ -290,6 +291,17 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, iint = integrity_iint_find(dentry->d_inode); if (iint && (iint->flags & IMA_NEW_FILE)) return 0; + + /* exception for pseudo filesystems */ + if (dentry->d_inode->i_sb->s_magic == TMPFS_MAGIC + || dentry->d_inode->i_sb->s_magic == SYSFS_MAGIC) + return 0; + + integrity_audit_msg(AUDIT_INTEGRITY_METADATA, + dentry->d_inode, dentry->d_name.name, + "update_metadata", + integrity_status_msg[evm_status], + -EPERM, 0); } out: if (evm_status != INTEGRITY_PASS) -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/