evm: labeling pseudo filesystems exception

commit 5101a1850bb7ccbf107929dee9af0cd2f400940f upstream.

To prevent offline stripping of existing file xattrs and relabeling of
them at runtime, EVM allows only newly created files to be labeled.  As
pseudo filesystems are not persistent, stripping of xattrs is not a
concern.

Some LSMs defer file labeling on pseudo filesystems.  This patch
permits the labeling of existing files on pseudo files systems.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 7e71e066198f99471772078fcccd277ba16f8f1a..048550aacffc37510630c8b9c7e16025a7f9f4a5 100644 (file)
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -20,6 +20,7 @@
 #include <linux/xattr.h>
 #include <linux/integrity.h>
 #include <linux/evm.h>
+#include <linux/magic.h>
 #include <crypto/hash.h>
 #include "evm.h"
 
@@ -275,6 +276,17 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
                iint = integrity_iint_find(dentry->d_inode);
                if (iint && (iint->flags & IMA_NEW_FILE))
                        return 0;
+
+               /* exception for pseudo filesystems */
+               if (dentry->d_inode->i_sb->s_magic == TMPFS_MAGIC
+                   || dentry->d_inode->i_sb->s_magic == SYSFS_MAGIC)
+                       return 0;
+
+               integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
+                                   dentry->d_inode, dentry->d_name.name,
+                                   "update_metadata",
+                                   integrity_status_msg[evm_status],
+                                   -EPERM, 0);
        }
 out:
        if (evm_status != INTEGRITY_PASS)