diff mbox

[RFC,1/2] evm: Ignore EVM xattrs from user namespace mounts

Message ID 1473281383-144843-2-git-send-email-seth.forshee@canonical.com (mailing list archive)
State New, archived
Headers show

Commit Message

Seth Forshee Sept. 7, 2016, 8:49 p.m. UTC 
Ignore these xattrs in filesystems mounted in non-init user
namespaces to avoid preventing access to files, and refuse to
calculate new hmacs for files in these mounts. Writing EVM xattrs
from userspace already requires global CAP_SYS_ADMIN, so no
changes are required to prevent this.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
---
 security/integrity/evm/evm_crypto.c | 2 +-
 security/integrity/evm/evm_main.c   | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)
diff mbox

Patch

diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index 11c1d30bd705..5a1738524fbb 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -182,7 +182,7 @@  static int evm_calc_hmac_or_hash(struct dentry *dentry,
 	int error;
 	int size;
 
-	if (!inode->i_op->getxattr)
+	if (inode->i_sb->s_user_ns != &init_user_ns || !inode->i_op->getxattr)
 		return -EOPNOTSUPP;
 	desc = init_desc(type);
 	if (IS_ERR(desc))
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 35ab453ce861..7590f010d639 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -118,6 +118,9 @@  static enum integrity_status evm_verify_hmac(struct dentry *dentry,
 	enum integrity_status evm_status = INTEGRITY_PASS;
 	int rc, xattr_len;
 
+	if (d_backing_inode(dentry)->i_sb->s_user_ns != &init_user_ns)
+		return INTEGRITY_UNKNOWN;
+
 	if (iint && iint->evm_status == INTEGRITY_PASS)
 		return iint->evm_status;