evm: posix acls modify i_mode

The posix xattr acls are 'system' prefixed, which normally would not affect security.evm. An interesting side affect of writing posix xattr acls is their modifying of the i_mode, which is included in security.evm. This patch updates security.evm when posix xattr acls are written. Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
author: Mimi Zohar <zohar@linux.vnet.ibm.com> 2011-08-18 18:07:44 -0400
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> 2011-09-14 15:24:51 -0400
commit: bf6d0f5dcda17df3cc5577e203d0f8ea1c2ad6aa (patch)
tree: c6c5f39d43fe0d27bc1d3aedbd2f9b3ba2f8f537 /security/integrity/evm/evm_main.c
parent: a924ce0b35875ef9512135b46a32f4150fd700b2 (diff)
1 files changed, 19 insertions, 5 deletions
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 7d4247535f9e..73c008d047c7 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -177,7 +177,14 @@ static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
 /*
 * evm_protect_xattr - protect the EVM extended attribute
 *
- * Prevent security.evm from being modified or removed.
+ * Prevent security.evm from being modified or removed without the
+ * necessary permissions or when the existing value is invalid.
+ *
+ * The posix xattr acls are 'system' prefixed, which normally would not
+ * affect security.evm.  An interesting side affect of writing posix xattr
+ * acls is their modifying of the i_mode, which is included in security.evm.
+ * For posix xattr acls only, permit security.evm, even if it currently
+ * doesn't exist, to be updated.
 */
 static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
                             const void *xattr_value, size_t xattr_value_len)
@@ -187,9 +194,15 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
        if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
                if (!capable(CAP_SYS_ADMIN))
                        return -EPERM;
-        } else if (!evm_protected_xattr(xattr_name))
+        } else if (!evm_protected_xattr(xattr_name)) {
-                return 0;
+                if (!posix_xattr_acl(xattr_name))
+                        return 0;
+                evm_status = evm_verify_current_integrity(dentry);
+                if ((evm_status == INTEGRITY_PASS) ||
+                        (evm_status == INTEGRITY_NOLABEL))
+                        return 0;
+                return -EPERM;
+        }
        evm_status = evm_verify_current_integrity(dentry);
        return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
 }
@@ -240,7 +253,8 @@ int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name)
 void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
                             const void *xattr_value, size_t xattr_value_len)
 {
-        if (!evm_initialized || !evm_protected_xattr(xattr_name))
+        if (!evm_initialized || (!evm_protected_xattr(xattr_name)
+                                 && !posix_xattr_acl(xattr_name)))
                return;
        evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
author	Mimi Zohar <zohar@linux.vnet.ibm.com>	2011-08-18 18:07:44 -0400
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	2011-09-14 15:24:51 -0400
commit	bf6d0f5dcda17df3cc5577e203d0f8ea1c2ad6aa (patch)
tree	c6c5f39d43fe0d27bc1d3aedbd2f9b3ba2f8f537 /security/integrity/evm/evm_main.c
parent	a924ce0b35875ef9512135b46a32f4150fd700b2 (diff)

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 7d4247535f9e..73c008d047c7 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c
@@ -177,7 +177,14 @@ static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
177	/*	177	/*
178	* evm_protect_xattr - protect the EVM extended attribute	178	* evm_protect_xattr - protect the EVM extended attribute
179	*	179	*
180	* Prevent security.evm from being modified or removed.	180	* Prevent security.evm from being modified or removed without the
		181	* necessary permissions or when the existing value is invalid.
		182	*
		183	* The posix xattr acls are 'system' prefixed, which normally would not
		184	* affect security.evm. An interesting side affect of writing posix xattr
		185	* acls is their modifying of the i_mode, which is included in security.evm.
		186	* For posix xattr acls only, permit security.evm, even if it currently
		187	* doesn't exist, to be updated.
181	*/	188	*/
182	static int evm_protect_xattr(struct dentry dentry, const char xattr_name,	189	static int evm_protect_xattr(struct dentry dentry, const char xattr_name,
183	const void *xattr_value, size_t xattr_value_len)	190	const void *xattr_value, size_t xattr_value_len)
@@ -187,9 +194,15 @@ static int evm_protect_xattr(struct dentry dentry, const char xattr_name,
187	if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {	194	if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
188	if (!capable(CAP_SYS_ADMIN))	195	if (!capable(CAP_SYS_ADMIN))
189	return -EPERM;	196	return -EPERM;
190	} else if (!evm_protected_xattr(xattr_name))	197	} else if (!evm_protected_xattr(xattr_name)) {
191	return 0;	198	if (!posix_xattr_acl(xattr_name))
192		199	return 0;
		200	evm_status = evm_verify_current_integrity(dentry);
		201	if ((evm_status == INTEGRITY_PASS) \|\|
		202	(evm_status == INTEGRITY_NOLABEL))
		203	return 0;
		204	return -EPERM;
		205	}
193	evm_status = evm_verify_current_integrity(dentry);	206	evm_status = evm_verify_current_integrity(dentry);
194	return evm_status == INTEGRITY_PASS ? 0 : -EPERM;	207	return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
195	}	208	}
@@ -240,7 +253,8 @@ int evm_inode_removexattr(struct dentry dentry, const char xattr_name)
240	void evm_inode_post_setxattr(struct dentry dentry, const char xattr_name,	253	void evm_inode_post_setxattr(struct dentry dentry, const char xattr_name,
241	const void *xattr_value, size_t xattr_value_len)	254	const void *xattr_value, size_t xattr_value_len)
242	{	255	{
243	if (!evm_initialized \|\| !evm_protected_xattr(xattr_name))	256	if (!evm_initialized \|\| (!evm_protected_xattr(xattr_name)
		257	&& !posix_xattr_acl(xattr_name)))
244	return;	258	return;
245		259
246	evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);	260	evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);