diff options
Diffstat (limited to 'security/integrity/evm/evm_main.c')
| -rw-r--r-- | security/integrity/evm/evm_main.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 3bcb80df4d01..9685af330de5 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c | |||
| @@ -126,14 +126,15 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, | |||
| 126 | rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0, | 126 | rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0, |
| 127 | GFP_NOFS); | 127 | GFP_NOFS); |
| 128 | if (rc <= 0) { | 128 | if (rc <= 0) { |
| 129 | if (rc == 0) | 129 | evm_status = INTEGRITY_FAIL; |
| 130 | evm_status = INTEGRITY_FAIL; /* empty */ | 130 | if (rc == -ENODATA) { |
| 131 | else if (rc == -ENODATA) { | ||
| 132 | rc = evm_find_protected_xattrs(dentry); | 131 | rc = evm_find_protected_xattrs(dentry); |
| 133 | if (rc > 0) | 132 | if (rc > 0) |
| 134 | evm_status = INTEGRITY_NOLABEL; | 133 | evm_status = INTEGRITY_NOLABEL; |
| 135 | else if (rc == 0) | 134 | else if (rc == 0) |
| 136 | evm_status = INTEGRITY_NOXATTRS; /* new file */ | 135 | evm_status = INTEGRITY_NOXATTRS; /* new file */ |
| 136 | } else if (rc == -EOPNOTSUPP) { | ||
| 137 | evm_status = INTEGRITY_UNKNOWN; | ||
| 137 | } | 138 | } |
| 138 | goto out; | 139 | goto out; |
| 139 | } | 140 | } |
| @@ -284,6 +285,13 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, | |||
| 284 | goto out; | 285 | goto out; |
| 285 | } | 286 | } |
| 286 | evm_status = evm_verify_current_integrity(dentry); | 287 | evm_status = evm_verify_current_integrity(dentry); |
| 288 | if (evm_status == INTEGRITY_NOXATTRS) { | ||
| 289 | struct integrity_iint_cache *iint; | ||
| 290 | |||
| 291 | iint = integrity_iint_find(dentry->d_inode); | ||
| 292 | if (iint && (iint->flags & IMA_NEW_FILE)) | ||
| 293 | return 0; | ||
| 294 | } | ||
| 287 | out: | 295 | out: |
| 288 | if (evm_status != INTEGRITY_PASS) | 296 | if (evm_status != INTEGRITY_PASS) |
| 289 | integrity_audit_msg(AUDIT_INTEGRITY_METADATA, dentry->d_inode, | 297 | integrity_audit_msg(AUDIT_INTEGRITY_METADATA, dentry->d_inode, |
| @@ -352,7 +360,6 @@ void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, | |||
| 352 | return; | 360 | return; |
| 353 | 361 | ||
| 354 | evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); | 362 | evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); |
| 355 | return; | ||
| 356 | } | 363 | } |
| 357 | 364 | ||
| 358 | /** | 365 | /** |
| @@ -372,7 +379,6 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) | |||
| 372 | mutex_lock(&inode->i_mutex); | 379 | mutex_lock(&inode->i_mutex); |
| 373 | evm_update_evmxattr(dentry, xattr_name, NULL, 0); | 380 | evm_update_evmxattr(dentry, xattr_name, NULL, 0); |
| 374 | mutex_unlock(&inode->i_mutex); | 381 | mutex_unlock(&inode->i_mutex); |
| 375 | return; | ||
| 376 | } | 382 | } |
| 377 | 383 | ||
| 378 | /** | 384 | /** |
| @@ -414,7 +420,6 @@ void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) | |||
| 414 | 420 | ||
| 415 | if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) | 421 | if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) |
| 416 | evm_update_evmxattr(dentry, NULL, NULL, 0); | 422 | evm_update_evmxattr(dentry, NULL, NULL, 0); |
| 417 | return; | ||
| 418 | } | 423 | } |
| 419 | 424 | ||
| 420 | /* | 425 | /* |