All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] evm: labeling pseudo filesystems exception
@ 2015-07-28 21:33 Mimi Zohar
  2015-07-28 22:01 ` Greg KH
  0 siblings, 1 reply; 3+ messages in thread
From: Mimi Zohar @ 2015-07-28 21:33 UTC (permalink / raw)
  To: stable; +Cc: Mimi Zohar

To prevent offline stripping of existing file xattrs and relabeling of
them at runtime, EVM allows only newly created files to be labeled.  As
pseudo filesystems are not persistent, stripping of xattrs is not a
concern.

Some LSMs defer file labeling on pseudo filesystems.  This patch
permits the labeling of existing files on pseudo files systems.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
(cherry picked from commit 5101a1850bb7ccbf107929dee9af0cd2f400940f)
---
 security/integrity/evm/evm_main.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 10f9943..5820914 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -296,6 +296,17 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
 		iint = integrity_iint_find(d_backing_inode(dentry));
 		if (iint && (iint->flags & IMA_NEW_FILE))
 			return 0;
+
+		/* exception for pseudo filesystems */
+		if (dentry->d_inode->i_sb->s_magic == TMPFS_MAGIC
+		    || dentry->d_inode->i_sb->s_magic == SYSFS_MAGIC)
+			return 0;
+
+		integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
+				    dentry->d_inode, dentry->d_name.name,
+				    "update_metadata",
+				    integrity_status_msg[evm_status],
+				    -EPERM, 0);
 	}
 out:
 	if (evm_status != INTEGRITY_PASS)
-- 
2.1.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] evm: labeling pseudo filesystems exception
  2015-07-28 21:33 [PATCH] evm: labeling pseudo filesystems exception Mimi Zohar
@ 2015-07-28 22:01 ` Greg KH
  2015-07-28 22:32   ` Mimi Zohar
  0 siblings, 1 reply; 3+ messages in thread
From: Greg KH @ 2015-07-28 22:01 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: stable

On Tue, Jul 28, 2015 at 05:33:10PM -0400, Mimi Zohar wrote:
> To prevent offline stripping of existing file xattrs and relabeling of
> them at runtime, EVM allows only newly created files to be labeled.  As
> pseudo filesystems are not persistent, stripping of xattrs is not a
> concern.
> 
> Some LSMs defer file labeling on pseudo filesystems.  This patch
> permits the labeling of existing files on pseudo files systems.
> 
> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> (cherry picked from commit 5101a1850bb7ccbf107929dee9af0cd2f400940f)
> ---
>  security/integrity/evm/evm_main.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)

What stable kernel version(s) do you want this applied to?

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] evm: labeling pseudo filesystems exception
  2015-07-28 22:01 ` Greg KH
@ 2015-07-28 22:32   ` Mimi Zohar
  0 siblings, 0 replies; 3+ messages in thread
From: Mimi Zohar @ 2015-07-28 22:32 UTC (permalink / raw)
  To: Greg KH; +Cc: stable

On Tue, 2015-07-28 at 15:01 -0700, Greg KH wrote:
> On Tue, Jul 28, 2015 at 05:33:10PM -0400, Mimi Zohar wrote:
> > To prevent offline stripping of existing file xattrs and relabeling of
> > them at runtime, EVM allows only newly created files to be labeled.  As
> > pseudo filesystems are not persistent, stripping of xattrs is not a
> > concern.
> > 
> > Some LSMs defer file labeling on pseudo filesystems.  This patch
> > permits the labeling of existing files on pseudo files systems.
> > 
> > Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> > (cherry picked from commit 5101a1850bb7ccbf107929dee9af0cd2f400940f)
> > ---
> >  security/integrity/evm/evm_main.c | 11 +++++++++++
> >  1 file changed, 11 insertions(+)
> 
> What stable kernel version(s) do you want this applied to?

Commit "3dcbad5 evm: properly handle INTEGRITY_NOXATTRS EVM status"
changed how new files were identified, introducing the problem addressed
by this patch. Stable branches  4.1.y - 3.17.y and 3.14.y are affected.

Mimi


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-07-28 22:33 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-07-28 21:33 [PATCH] evm: labeling pseudo filesystems exception Mimi Zohar
2015-07-28 22:01 ` Greg KH
2015-07-28 22:32   ` Mimi Zohar

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.