• Dmitry Kasatkin's avatar
    evm: properly handle INTEGRITY_NOXATTRS EVM status · 742b40ef
    Dmitry Kasatkin authored
    commit 3dcbad52 upstream.
    
    Unless an LSM labels a file during d_instantiate(), newly created
    files are not labeled with an initial security.evm xattr, until
    the file closes.  EVM, before allowing a protected, security xattr
    to be written, verifies the existing 'security.evm' value is good.
    For newly created files without a security.evm label, this
    verification prevents writing any protected, security xattrs,
    until the file closes.
    
    Following is the example when this happens:
    fd = open("foo", O_CREAT | O_WRONLY, 0644);
    setxattr("foo", "security.SMACK64", value, sizeof(value), 0);
    close(fd);
    
    While INTEGRITY_NOXATTRS status is handled in other places, such
    as evm_inode_setattr(), it does not handle it in all cases in
    evm_protect_xattr().  By limiting the use of INTEGRITY_NOXATTRS to
    newly created files, we can now allow setting "protected" xattrs.
    
    Changelog:
    - limit the use of INTEGRITY_NOXATTRS to IMA identified new files
    Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
    Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
    Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
    742b40ef
evm_main.c 13.2 KB