evm: do not use inode generation for special files
There is no way to read inode generation number for special files.
It makes it impossible to perform filesystem labeling with digital
or HMAC signatures. Disable it for time being.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index 5e9687f..4de92d9 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -107,7 +107,11 @@
memset(&hmac_misc, 0, sizeof(hmac_misc));
hmac_misc.ino = inode->i_ino;
- hmac_misc.generation = inode->i_generation;
+ /* inode generation can be read from user space only
+ * for files and directories
+ */
+ if (S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode))
+ hmac_misc.generation = inode->i_generation;
hmac_misc.uid = from_kuid(&init_user_ns, inode->i_uid);
hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid);
hmac_misc.mode = inode->i_mode;
