[PATCH] evm: labeling pseudo filesystems exception

[PATCH] evm: labeling pseudo filesystems exception

[Mimi Zohar]

To prevent offline stripping of existing file xattrs and relabeling of
them at runtime, EVM allows only newly created files to be labeled.  As
pseudo filesystems are not persistent, stripping of xattrs is not a
concern.

Some LSMs defer file labeling on pseudo filesystems.  This patch
permits the labeling of existing files on pseudo files systems.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
(cherry picked from commit 5101a1850bb7ccbf107929dee9af0cd2f400940f)
---
 security/integrity/evm/evm_main.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 10f9943..5820914 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -296,6 +296,17 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
 		iint = integrity_iint_find(d_backing_inode(dentry));
 		if (iint && (iint->flags & IMA_NEW_FILE))
 			return 0;
+
+		/* exception for pseudo filesystems */
+		if (dentry->d_inode->i_sb->s_magic == TMPFS_MAGIC
+		    || dentry->d_inode->i_sb->s_magic == SYSFS_MAGIC)
+			return 0;
+
+		integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
+				    dentry->d_inode, dentry->d_name.name,
+				    "update_metadata",
+				    integrity_status_msg[evm_status],
+				    -EPERM, 0);
 	}
 out:
 	if (evm_status != INTEGRITY_PASS)
-- 
2.1.0

Re: [PATCH] evm: labeling pseudo filesystems exception

[Greg KH]

On Tue, Jul 28, 2015 at 05:33:10PM -0400, Mimi Zohar wrote:
> To prevent offline stripping of existing file xattrs and relabeling of
> them at runtime, EVM allows only newly created files to be labeled.  As
> pseudo filesystems are not persistent, stripping of xattrs is not a
> concern.
> 
> Some LSMs defer file labeling on pseudo filesystems.  This patch
> permits the labeling of existing files on pseudo files systems.
> 
> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> (cherry picked from commit 5101a1850bb7ccbf107929dee9af0cd2f400940f)
> ---
>  security/integrity/evm/evm_main.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)

What stable kernel version(s) do you want this applied to?

Re: [PATCH] evm: labeling pseudo filesystems exception

[Mimi Zohar]

On Tue, 2015-07-28 at 15:01 -0700, Greg KH wrote:
> On Tue, Jul 28, 2015 at 05:33:10PM -0400, Mimi Zohar wrote:
> > To prevent offline stripping of existing file xattrs and relabeling of
> > them at runtime, EVM allows only newly created files to be labeled.  As
> > pseudo filesystems are not persistent, stripping of xattrs is not a
> > concern.
> > 
> > Some LSMs defer file labeling on pseudo filesystems.  This patch
> > permits the labeling of existing files on pseudo files systems.
> > 
> > Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> > (cherry picked from commit 5101a1850bb7ccbf107929dee9af0cd2f400940f)
> > ---
> >  security/integrity/evm/evm_main.c | 11 +++++++++++
> >  1 file changed, 11 insertions(+)
> 
> What stable kernel version(s) do you want this applied to?

Commit "3dcbad5 evm: properly handle INTEGRITY_NOXATTRS EVM status"
changed how new files were identified, introducing the problem addressed
by this patch. Stable branches  4.1.y - 3.17.y and 3.14.y are affected.

Mimi