git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Dmitry Kasatkin <d.kasatkin@samsung.com>
	Tue, 2 Sep 2014 13:31:43 +0000 (16:31 +0300)
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>
	Tue, 9 Sep 2014 14:26:10 +0000 (10:26 -0400)
commit	3dcbad52cf18c3c379e96b992d22815439ebbe53
tree	a5766bd074a95c62e2c67ccf3a72608a6929bb60	tree
parent	b151d6b00bbb798c58f2f21305e7d43fa763f34f	commit \| diff

evm: properly handle INTEGRITY_NOXATTRS EVM status

Unless an LSM labels a file during d_instantiate(), newly created
files are not labeled with an initial security.evm xattr, until
the file closes. EVM, before allowing a protected, security xattr
to be written, verifies the existing 'security.evm' value is good.
For newly created files without a security.evm label, this
verification prevents writing any protected, security xattrs,
until the file closes.

Following is the example when this happens:
fd = open("foo", O_CREAT | O_WRONLY, 0644);
setxattr("foo", "security.SMACK64", value, sizeof(value), 0);
close(fd);

While INTEGRITY_NOXATTRS status is handled in other places, such
as evm_inode_setattr(), it does not handle it in all cases in
evm_protect_xattr(). By limiting the use of INTEGRITY_NOXATTRS to
newly created files, we can now allow setting "protected" xattrs.

Changelog:
- limit the use of INTEGRITY_NOXATTRS to IMA identified new files

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: <stable@vger.kernel.org> 3.14+