diff options
author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2011-08-11 01:22:30 -0400 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2011-09-14 15:24:51 -0400 |
commit | a924ce0b35875ef9512135b46a32f4150fd700b2 (patch) | |
tree | 0e01ac679790fe96c03b341b2670a2ed9c56a122 /security | |
parent | fb88c2b6cbb1265a8bef60694699b37f5cd4ba76 (diff) |
evm: limit verifying current security.evm integrity
evm_protect_xattr unnecessarily validates the current security.evm
integrity, before updating non-evm protected extended attributes
and other file metadata. This patch limits validating the current
security.evm integrity to evm protected metadata.
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/integrity/evm/evm_main.c | 58 |
1 files changed, 24 insertions, 34 deletions
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index f0127e536f84..7d4247535f9e 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c | |||
@@ -159,21 +159,6 @@ enum integrity_status evm_verifyxattr(struct dentry *dentry, | |||
159 | EXPORT_SYMBOL_GPL(evm_verifyxattr); | 159 | EXPORT_SYMBOL_GPL(evm_verifyxattr); |
160 | 160 | ||
161 | /* | 161 | /* |
162 | * evm_protect_xattr - protect the EVM extended attribute | ||
163 | * | ||
164 | * Prevent security.evm from being modified or removed. | ||
165 | */ | ||
166 | static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, | ||
167 | const void *xattr_value, size_t xattr_value_len) | ||
168 | { | ||
169 | if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { | ||
170 | if (!capable(CAP_SYS_ADMIN)) | ||
171 | return -EPERM; | ||
172 | } | ||
173 | return 0; | ||
174 | } | ||
175 | |||
176 | /* | ||
177 | * evm_verify_current_integrity - verify the dentry's metadata integrity | 162 | * evm_verify_current_integrity - verify the dentry's metadata integrity |
178 | * @dentry: pointer to the affected dentry | 163 | * @dentry: pointer to the affected dentry |
179 | * | 164 | * |
@@ -189,6 +174,26 @@ static enum integrity_status evm_verify_current_integrity(struct dentry *dentry) | |||
189 | return evm_verify_hmac(dentry, NULL, NULL, 0, NULL); | 174 | return evm_verify_hmac(dentry, NULL, NULL, 0, NULL); |
190 | } | 175 | } |
191 | 176 | ||
177 | /* | ||
178 | * evm_protect_xattr - protect the EVM extended attribute | ||
179 | * | ||
180 | * Prevent security.evm from being modified or removed. | ||
181 | */ | ||
182 | static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, | ||
183 | const void *xattr_value, size_t xattr_value_len) | ||
184 | { | ||
185 | enum integrity_status evm_status; | ||
186 | |||
187 | if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { | ||
188 | if (!capable(CAP_SYS_ADMIN)) | ||
189 | return -EPERM; | ||
190 | } else if (!evm_protected_xattr(xattr_name)) | ||
191 | return 0; | ||
192 | |||
193 | evm_status = evm_verify_current_integrity(dentry); | ||
194 | return evm_status == INTEGRITY_PASS ? 0 : -EPERM; | ||
195 | } | ||
196 | |||
192 | /** | 197 | /** |
193 | * evm_inode_setxattr - protect the EVM extended attribute | 198 | * evm_inode_setxattr - protect the EVM extended attribute |
194 | * @dentry: pointer to the affected dentry | 199 | * @dentry: pointer to the affected dentry |
@@ -202,16 +207,8 @@ static enum integrity_status evm_verify_current_integrity(struct dentry *dentry) | |||
202 | int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, | 207 | int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, |
203 | const void *xattr_value, size_t xattr_value_len) | 208 | const void *xattr_value, size_t xattr_value_len) |
204 | { | 209 | { |
205 | 210 | return evm_protect_xattr(dentry, xattr_name, xattr_value, | |
206 | enum integrity_status evm_status; | 211 | xattr_value_len); |
207 | int ret; | ||
208 | |||
209 | ret = evm_protect_xattr(dentry, xattr_name, xattr_value, | ||
210 | xattr_value_len); | ||
211 | if (ret) | ||
212 | return ret; | ||
213 | evm_status = evm_verify_current_integrity(dentry); | ||
214 | return evm_status == INTEGRITY_PASS ? 0 : -EPERM; | ||
215 | } | 212 | } |
216 | 213 | ||
217 | /** | 214 | /** |
@@ -224,14 +221,7 @@ int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, | |||
224 | */ | 221 | */ |
225 | int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) | 222 | int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) |
226 | { | 223 | { |
227 | enum integrity_status evm_status; | 224 | return evm_protect_xattr(dentry, xattr_name, NULL, 0); |
228 | int ret; | ||
229 | |||
230 | ret = evm_protect_xattr(dentry, xattr_name, NULL, 0); | ||
231 | if (ret) | ||
232 | return ret; | ||
233 | evm_status = evm_verify_current_integrity(dentry); | ||
234 | return evm_status == INTEGRITY_PASS ? 0 : -EPERM; | ||
235 | } | 225 | } |
236 | 226 | ||
237 | /** | 227 | /** |
@@ -286,7 +276,7 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) | |||
286 | unsigned int ia_valid = attr->ia_valid; | 276 | unsigned int ia_valid = attr->ia_valid; |
287 | enum integrity_status evm_status; | 277 | enum integrity_status evm_status; |
288 | 278 | ||
289 | if (ia_valid & ~(ATTR_MODE | ATTR_UID | ATTR_GID)) | 279 | if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) |
290 | return 0; | 280 | return 0; |
291 | evm_status = evm_verify_current_integrity(dentry); | 281 | evm_status = evm_verify_current_integrity(dentry); |
292 | return evm_status == INTEGRITY_PASS ? 0 : -EPERM; | 282 | return evm_status == INTEGRITY_PASS ? 0 : -EPERM; |