stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Patch "evm: labeling pseudo filesystems exception" has been added to the 4.1-stable tree
@ 2015-07-30 19:53 gregkh
  0 siblings, 0 replies; only message in thread
From: gregkh @ 2015-07-30 19:53 UTC (permalink / raw)
  To: zohar, gregkh; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    evm: labeling pseudo filesystems exception

to the 4.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     evm-labeling-pseudo-filesystems-exception.patch
and it can be found in the queue-4.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 5101a1850bb7ccbf107929dee9af0cd2f400940f Mon Sep 17 00:00:00 2001
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
Date: Tue, 21 Apr 2015 13:59:31 -0400
Subject: evm: labeling pseudo filesystems exception

From: Mimi Zohar <zohar@linux.vnet.ibm.com>

commit 5101a1850bb7ccbf107929dee9af0cd2f400940f upstream.

To prevent offline stripping of existing file xattrs and relabeling of
them at runtime, EVM allows only newly created files to be labeled.  As
pseudo filesystems are not persistent, stripping of xattrs is not a
concern.

Some LSMs defer file labeling on pseudo filesystems.  This patch
permits the labeling of existing files on pseudo files systems.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 security/integrity/evm/evm_main.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -296,6 +296,17 @@ static int evm_protect_xattr(struct dent
 		iint = integrity_iint_find(d_backing_inode(dentry));
 		if (iint && (iint->flags & IMA_NEW_FILE))
 			return 0;
+
+		/* exception for pseudo filesystems */
+		if (dentry->d_inode->i_sb->s_magic == TMPFS_MAGIC
+		    || dentry->d_inode->i_sb->s_magic == SYSFS_MAGIC)
+			return 0;
+
+		integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
+				    dentry->d_inode, dentry->d_name.name,
+				    "update_metadata",
+				    integrity_status_msg[evm_status],
+				    -EPERM, 0);
 	}
 out:
 	if (evm_status != INTEGRITY_PASS)


Patches currently in stable-queue which might be from zohar@linux.vnet.ibm.com are

queue-4.1/keys-fix-ca_keys-partial-key-matching.patch
queue-4.1/ima-update-builtin-policies.patch
queue-4.1/ima-extend-mask-policy-matching-support.patch
queue-4.1/ima-cleanup-ima_init_policy-a-little.patch
queue-4.1/evm-labeling-pseudo-filesystems-exception.patch
queue-4.1/ima-fix-ima_show_template_data_ascii.patch
queue-4.1/ima-add-support-for-new-euid-policy-condition.patch
queue-4.1/ima-do-not-measure-or-appraise-the-nsfs-filesystem.patch
queue-4.1/ima-skip-measurement-of-cgroupfs-files-and-update-documentation.patch

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2015-07-30 19:53 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-07-30 19:53 Patch "evm: labeling pseudo filesystems exception" has been added to the 4.1-stable tree gregkh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).