| From 3dcbad52cf18c3c379e96b992d22815439ebbe53 Mon Sep 17 00:00:00 2001 |
| From: Dmitry Kasatkin <d.kasatkin@samsung.com> |
| Date: Tue, 2 Sep 2014 16:31:43 +0300 |
| Subject: evm: properly handle INTEGRITY_NOXATTRS EVM status |
| |
| From: Dmitry Kasatkin <d.kasatkin@samsung.com> |
| |
| commit 3dcbad52cf18c3c379e96b992d22815439ebbe53 upstream. |
| |
| Unless an LSM labels a file during d_instantiate(), newly created |
| files are not labeled with an initial security.evm xattr, until |
| the file closes. EVM, before allowing a protected, security xattr |
| to be written, verifies the existing 'security.evm' value is good. |
| For newly created files without a security.evm label, this |
| verification prevents writing any protected, security xattrs, |
| until the file closes. |
| |
| Following is the example when this happens: |
| fd = open("foo", O_CREAT | O_WRONLY, 0644); |
| setxattr("foo", "security.SMACK64", value, sizeof(value), 0); |
| close(fd); |
| |
| While INTEGRITY_NOXATTRS status is handled in other places, such |
| as evm_inode_setattr(), it does not handle it in all cases in |
| evm_protect_xattr(). By limiting the use of INTEGRITY_NOXATTRS to |
| newly created files, we can now allow setting "protected" xattrs. |
| |
| Changelog: |
| - limit the use of INTEGRITY_NOXATTRS to IMA identified new files |
| |
| Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> |
| Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| security/integrity/evm/evm_main.c | 7 +++++++ |
| 1 file changed, 7 insertions(+) |
| |
| --- a/security/integrity/evm/evm_main.c |
| +++ b/security/integrity/evm/evm_main.c |
| @@ -284,6 +284,13 @@ static int evm_protect_xattr(struct dent |
| goto out; |
| } |
| evm_status = evm_verify_current_integrity(dentry); |
| + if (evm_status == INTEGRITY_NOXATTRS) { |
| + struct integrity_iint_cache *iint; |
| + |
| + iint = integrity_iint_find(dentry->d_inode); |
| + if (iint && (iint->flags & IMA_NEW_FILE)) |
| + return 0; |
| + } |
| out: |
| if (evm_status != INTEGRITY_PASS) |
| integrity_audit_msg(AUDIT_INTEGRITY_METADATA, dentry->d_inode, |