evm: properly handle INTEGRITY_NOXATTRS EVM status

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Unless an LSM labels a file during d_instantiate(), newly created
files are not labeled with an initial security.evm xattr, until
the file closes. EVM, before allowing a protected, security xattr
to be written, verifies the existing 'security.evm' value is good.
For newly created files without a security.evm label, this
verification prevents writing any protected, security xattrs,
until the file closes.

Following is the example when this happens:
fd = open("foo", O_CREAT | O_WRONLY, 0644);
setxattr("foo", "security.SMACK64", value, sizeof(value), 0);
close(fd);

While INTEGRITY_NOXATTRS status is handled in other places, such
as evm_inode_setattr(), it does not handle it in all cases in
evm_protect_xattr(). By limiting the use of INTEGRITY_NOXATTRS to
newly created files, we can now allow setting "protected" xattrs.

Changelog:
- limit the use of INTEGRITY_NOXATTRS to IMA identified new files

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: <stable@vger.kernel.org> 3.14+

authored by

Dmitry Kasatkin and committed by

Mimi Zohar 11 years ago 3dcbad52 b151d6b0

1 changed file

expand all

security

integrity

evm

evm_main.c

security/integrity/evm/evm_main.c

··· 285 285 goto out; 286 286 } 287 287 evm_status = evm_verify_current_integrity(dentry); 288 + if (evm_status == INTEGRITY_NOXATTRS) { 289 + struct integrity_iint_cache *iint; 290 + 291 + iint = integrity_iint_find(dentry->d_inode); 292 + if (iint && (iint->flags & IMA_NEW_FILE)) 293 + return 0; 294 + } 288 295 out: 289 296 if (evm_status != INTEGRITY_PASS) 290 297 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, dentry->d_inode,