--- /dev/null
+From 2fb1c9a4f2dbc2f0bd2431c7fa64d0b5483864e4 Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Date: Sun, 11 May 2014 00:05:23 -0400
+Subject: evm: prohibit userspace writing 'security.evm' HMAC value
+
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+
+commit 2fb1c9a4f2dbc2f0bd2431c7fa64d0b5483864e4 upstream.
+
+Calculating the 'security.evm' HMAC value requires access to the
+EVM encrypted key. Only the kernel should have access to it. This
+patch prevents userspace tools(eg. setfattr, cp --preserve=xattr)
+from setting/modifying the 'security.evm' HMAC value directly.
+
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/evm/evm_main.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/security/integrity/evm/evm_main.c
++++ b/security/integrity/evm/evm_main.c
+@@ -271,12 +271,20 @@ static int evm_protect_xattr(struct dent
+ * @xattr_value: pointer to the new extended attribute value
+ * @xattr_value_len: pointer to the new extended attribute value length
+ *
+- * Updating 'security.evm' requires CAP_SYS_ADMIN privileges and that
+- * the current value is valid.
++ * Before allowing the 'security.evm' protected xattr to be updated,
++ * verify the existing value is valid. As only the kernel should have
++ * access to the EVM encrypted key needed to calculate the HMAC, prevent
++ * userspace from writing HMAC value. Writing 'security.evm' requires
++ * requires CAP_SYS_ADMIN privileges.
+ */
+ int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
+ const void *xattr_value, size_t xattr_value_len)
+ {
++ const struct evm_ima_xattr_data *xattr_data = xattr_value;
++
++ if ((strcmp(xattr_name, XATTR_NAME_EVM) == 0)
++ && (xattr_data->type == EVM_XATTR_HMAC))
++ return -EPERM;
+ return evm_protect_xattr(dentry, xattr_name, xattr_value,
+ xattr_value_len);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
