From 817b54aa45db03437c6d09a7693fc6926eb8e822 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Fri, 13 May 2011 12:53:38 -0400 Subject: evm: add evm_inode_setattr to prevent updating an invalid security.evm Permit changing of security.evm only when valid, unless in fixmode. Reported-by: Roberto Sassu Signed-off-by: Mimi Zohar --- security/integrity/evm/evm_main.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'security/integrity') diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 94d66af07aa4..8fc5b5d7ceaa 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -277,6 +277,21 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) return; } +/** + * evm_inode_setattr - prevent updating an invalid EVM extended attribute + * @dentry: pointer to the affected dentry + */ +int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) +{ + unsigned int ia_valid = attr->ia_valid; + enum integrity_status evm_status; + + if (ia_valid & ~(ATTR_MODE | ATTR_UID | ATTR_GID)) + return 0; + evm_status = evm_verify_current_integrity(dentry); + return evm_status == INTEGRITY_PASS ? 0 : -EPERM; +} + /** * evm_inode_post_setattr - update 'security.evm' after modifying metadata * @dentry: pointer to the affected dentry -- cgit v1.2.3