diff options
| author | Dmitry Kasatkin <d.kasatkin@samsung.com> | 2014-09-02 16:31:43 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2014-11-14 08:59:48 -0800 |
| commit | c318c31cd1448461dfd2c82d87865f61ddde2d4c (patch) | |
| tree | 179f358259dc93747b82ed90f31d51027058d786 /net | |
| parent | 7f4ec7741d144d51063dcf4ca68978729ab2d63f (diff) | |
evm: properly handle INTEGRITY_NOXATTRS EVM status
commit 3dcbad52cf18c3c379e96b992d22815439ebbe53 upstream.
Unless an LSM labels a file during d_instantiate(), newly created
files are not labeled with an initial security.evm xattr, until
the file closes. EVM, before allowing a protected, security xattr
to be written, verifies the existing 'security.evm' value is good.
For newly created files without a security.evm label, this
verification prevents writing any protected, security xattrs,
until the file closes.
Following is the example when this happens:
fd = open("foo", O_CREAT | O_WRONLY, 0644);
setxattr("foo", "security.SMACK64", value, sizeof(value), 0);
close(fd);
While INTEGRITY_NOXATTRS status is handled in other places, such
as evm_inode_setattr(), it does not handle it in all cases in
evm_protect_xattr(). By limiting the use of INTEGRITY_NOXATTRS to
newly created files, we can now allow setting "protected" xattrs.
Changelog:
- limit the use of INTEGRITY_NOXATTRS to IMA identified new files
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net')
0 files changed, 0 insertions, 0 deletions