From: Seth Forshee <seth.forshee@canonical.com>
Date: Thu, 15 Dec 2016 17:03:08 +0000 (-0600)
Subject: UBUNTU: SAUCE: (namespace) evm: Don't update hmacs in user ns mounts
X-Git-Tag: Ubuntu-4.13.0-10.11~231
X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=e2f7dbcf2dc570cfc90a7b77407d9ab3afb60d28;p=mirror_ubuntu-artful-kernel.git

UBUNTU: SAUCE: (namespace) evm: Don't update hmacs in user ns mounts

The kernel should not calculate new hmacs for mounts done by
non-root users. Update evm_calc_hmac_or_hash() to refuse to
calculate new hmacs for mounts for non-init user namespaces.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
---

diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index 1d32cd20009a..9c9b799a8740 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -190,7 +190,8 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry,
 	int error;
 	int size;
 
-	if (!(inode->i_opflags & IOP_XATTR))
+	if (!(inode->i_opflags & IOP_XATTR) ||
+	    inode->i_sb->s_user_ns != &init_user_ns)
 		return -EOPNOTSUPP;
 
 	desc = init_desc(type);