evm: labeling pseudo filesystems exception

To prevent offline stripping of existing file xattrs and relabeling of them at runtime, EVM allows only newly created files to be labeled. As pseudo filesystems are not persistent, stripping of xattrs is not a concern. Some LSMs defer file labeling on pseudo filesystems. This patch permits the labeling of existing files on pseudo files systems. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
author: Mimi Zohar <zohar@linux.vnet.ibm.com> 2015-04-21 13:59:31 -0400
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> 2015-05-21 13:28:47 -0400
commit: 5101a1850bb7ccbf107929dee9af0cd2f400940f (patch)
tree: 5ef7ac633c626864273b091ffe6b180e5b92297f /security
parent: a18d0cbfabd1d17e11ec2ae54804284298462125 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 10f994307a04..582091498819 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -296,6 +296,17 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
                iint = integrity_iint_find(d_backing_inode(dentry));
                if (iint && (iint->flags & IMA_NEW_FILE))
                        return 0;
+                /* exception for pseudo filesystems */
+                if (dentry->d_inode->i_sb->s_magic == TMPFS_MAGIC
+                    || dentry->d_inode->i_sb->s_magic == SYSFS_MAGIC)
+                        return 0;
+                integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
+                                    dentry->d_inode, dentry->d_name.name,
+                                    "update_metadata",
+                                    integrity_status_msg[evm_status],
+                                    -EPERM, 0);
        }
 out:
        if (evm_status != INTEGRITY_PASS)
author	Mimi Zohar <zohar@linux.vnet.ibm.com>	2015-04-21 13:59:31 -0400
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	2015-05-21 13:28:47 -0400
commit	5101a1850bb7ccbf107929dee9af0cd2f400940f (patch)
tree	5ef7ac633c626864273b091ffe6b180e5b92297f /security
parent	a18d0cbfabd1d17e11ec2ae54804284298462125 (diff)

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 10f994307a04..582091498819 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c
@@ -296,6 +296,17 @@ static int evm_protect_xattr(struct dentry dentry, const char xattr_name,
296	iint = integrity_iint_find(d_backing_inode(dentry));	296	iint = integrity_iint_find(d_backing_inode(dentry));
297	if (iint && (iint->flags & IMA_NEW_FILE))	297	if (iint && (iint->flags & IMA_NEW_FILE))
298	return 0;	298	return 0;
		299
		300	/* exception for pseudo filesystems */
		301	if (dentry->d_inode->i_sb->s_magic == TMPFS_MAGIC
		302	\|\| dentry->d_inode->i_sb->s_magic == SYSFS_MAGIC)
		303	return 0;
		304
		305	integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
		306	dentry->d_inode, dentry->d_name.name,
		307	"update_metadata",
		308	integrity_status_msg[evm_status],
		309	-EPERM, 0);
299	}	310	}
300	out:	311	out:
301	if (evm_status != INTEGRITY_PASS)	312	if (evm_status != INTEGRITY_PASS)