releases/3.17.3/evm-properly-handle-integrity_noxattrs-evm-status.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 3dcbad52cf18c3c379e96b992d22815439ebbe53 Mon Sep 17 00:00:00 2001
 From: Dmitry Kasatkin <d.kasatkin@samsung.com>
 Date: Tue, 2 Sep 2014 16:31:43 +0300
 Subject: evm: properly handle INTEGRITY_NOXATTRS EVM status

 From: Dmitry Kasatkin <d.kasatkin@samsung.com>

 commit 3dcbad52cf18c3c379e96b992d22815439ebbe53 upstream.

 Unless an LSM labels a file during d_instantiate(), newly created
 files are not labeled with an initial security.evm xattr, until
 the file closes.  EVM, before allowing a protected, security xattr
 to be written, verifies the existing 'security.evm' value is good.
 For newly created files without a security.evm label, this
 verification prevents writing any protected, security xattrs,
 until the file closes.

 Following is the example when this happens:
 fd = open("foo", O_CREAT | O_WRONLY, 0644);
 setxattr("foo", "security.SMACK64", value, sizeof(value), 0);
 close(fd);

 While INTEGRITY_NOXATTRS status is handled in other places, such
 as evm_inode_setattr(), it does not handle it in all cases in
 evm_protect_xattr().  By limiting the use of INTEGRITY_NOXATTRS to
 newly created files, we can now allow setting "protected" xattrs.

 Changelog:
 - limit the use of INTEGRITY_NOXATTRS to IMA identified new files

 Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
 Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  security/integrity/evm/evm_main.c |    7 +++++++
  1 file changed, 7 insertions(+)

 --- a/security/integrity/evm/evm_main.c
 +++ b/security/integrity/evm/evm_main.c
 @@ -284,6 +284,13 @@ static int evm_protect_xattr(struct dent
  		goto out;
  	}
  	evm_status = evm_verify_current_integrity(dentry);
 +	if (evm_status == INTEGRITY_NOXATTRS) {
 +		struct integrity_iint_cache *iint;
 +
 +		iint = integrity_iint_find(dentry->d_inode);
 +		if (iint && (iint->flags & IMA_NEW_FILE))
 +			return 0;
 +	}
  out:
  	if (evm_status != INTEGRITY_PASS)
  		integrity_audit_msg(AUDIT_INTEGRITY_METADATA, dentry->d_inode,
	From 3dcbad52cf18c3c379e96b992d22815439ebbe53 Mon Sep 17 00:00:00 2001
	From: Dmitry Kasatkin <d.kasatkin@samsung.com>
	Date: Tue, 2 Sep 2014 16:31:43 +0300
	Subject: evm: properly handle INTEGRITY_NOXATTRS EVM status

	From: Dmitry Kasatkin <d.kasatkin@samsung.com>

	commit 3dcbad52cf18c3c379e96b992d22815439ebbe53 upstream.

	Unless an LSM labels a file during d_instantiate(), newly created
	files are not labeled with an initial security.evm xattr, until
	the file closes. EVM, before allowing a protected, security xattr
	to be written, verifies the existing 'security.evm' value is good.
	For newly created files without a security.evm label, this
	verification prevents writing any protected, security xattrs,
	until the file closes.

	Following is the example when this happens:
	fd = open("foo", O_CREAT \| O_WRONLY, 0644);
	setxattr("foo", "security.SMACK64", value, sizeof(value), 0);
	close(fd);

	While INTEGRITY_NOXATTRS status is handled in other places, such
	as evm_inode_setattr(), it does not handle it in all cases in
	evm_protect_xattr(). By limiting the use of INTEGRITY_NOXATTRS to
	newly created files, we can now allow setting "protected" xattrs.

	Changelog:
	- limit the use of INTEGRITY_NOXATTRS to IMA identified new files

	Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
	Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	security/integrity/evm/evm_main.c \| 7 +++++++
	1 file changed, 7 insertions(+)

	--- a/security/integrity/evm/evm_main.c
	+++ b/security/integrity/evm/evm_main.c
	@@ -284,6 +284,13 @@ static int evm_protect_xattr(struct dent
	goto out;
	}
	evm_status = evm_verify_current_integrity(dentry);
	+ if (evm_status == INTEGRITY_NOXATTRS) {
	+ struct integrity_iint_cache *iint;
	+
	+ iint = integrity_iint_find(dentry->d_inode);
	+ if (iint && (iint->flags & IMA_NEW_FILE))
	+ return 0;
	+ }
	out:
	if (evm_status != INTEGRITY_PASS)
	integrity_audit_msg(AUDIT_INTEGRITY_METADATA, dentry->d_inode,