summaryrefslogtreecommitdiffstats
path: root/security/integrity/ima/ima.h
diff options
context:
space:
mode:
authorDmitry Kasatkin <d.kasatkin@samsung.com>2014-09-02 15:31:43 +0200
committerMimi Zohar <zohar@linux.vnet.ibm.com>2014-09-09 16:26:10 +0200
commit3dcbad52cf18c3c379e96b992d22815439ebbe53 (patch)
treea5766bd074a95c62e2c67ccf3a72608a6929bb60 /security/integrity/ima/ima.h
parentima: provide flag to identify new empty files (diff)
downloadlinux-3dcbad52cf18c3c379e96b992d22815439ebbe53.tar.xz
linux-3dcbad52cf18c3c379e96b992d22815439ebbe53.zip
evm: properly handle INTEGRITY_NOXATTRS EVM status
Unless an LSM labels a file during d_instantiate(), newly created files are not labeled with an initial security.evm xattr, until the file closes. EVM, before allowing a protected, security xattr to be written, verifies the existing 'security.evm' value is good. For newly created files without a security.evm label, this verification prevents writing any protected, security xattrs, until the file closes. Following is the example when this happens: fd = open("foo", O_CREAT | O_WRONLY, 0644); setxattr("foo", "security.SMACK64", value, sizeof(value), 0); close(fd); While INTEGRITY_NOXATTRS status is handled in other places, such as evm_inode_setattr(), it does not handle it in all cases in evm_protect_xattr(). By limiting the use of INTEGRITY_NOXATTRS to newly created files, we can now allow setting "protected" xattrs. Changelog: - limit the use of INTEGRITY_NOXATTRS to IMA identified new files Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: <stable@vger.kernel.org> 3.14+
Diffstat (limited to 'security/integrity/ima/ima.h')
0 files changed, 0 insertions, 0 deletions