From b7a648504f84ea908f8283df76a5932e29ad3c63 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 18 Jun 2014 19:42:09 -0700
Subject: [PATCH] 3.4-stable patches

added patches:
	evm-prohibit-userspace-writing-security.evm-hmac-value.patch
---
 ...pace-writing-security.evm-hmac-value.patch | 46 +++++++++++++++++++
 queue-3.4/series                              |  1 +
 2 files changed, 47 insertions(+)
 create mode 100644 queue-3.4/evm-prohibit-userspace-writing-security.evm-hmac-value.patch

diff --git a/queue-3.4/evm-prohibit-userspace-writing-security.evm-hmac-value.patch b/queue-3.4/evm-prohibit-userspace-writing-security.evm-hmac-value.patch
new file mode 100644
index 00000000000..27c2bb13af6
--- /dev/null
+++ b/queue-3.4/evm-prohibit-userspace-writing-security.evm-hmac-value.patch
@@ -0,0 +1,46 @@
+From 2fb1c9a4f2dbc2f0bd2431c7fa64d0b5483864e4 Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Date: Sun, 11 May 2014 00:05:23 -0400
+Subject: evm: prohibit userspace writing 'security.evm' HMAC value
+
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+
+commit 2fb1c9a4f2dbc2f0bd2431c7fa64d0b5483864e4 upstream.
+
+Calculating the 'security.evm' HMAC value requires access to the
+EVM encrypted key.  Only the kernel should have access to it.  This
+patch prevents userspace tools(eg. setfattr, cp --preserve=xattr)
+from setting/modifying the 'security.evm' HMAC value directly.
+
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/evm/evm_main.c |   12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/security/integrity/evm/evm_main.c
++++ b/security/integrity/evm/evm_main.c
+@@ -271,12 +271,20 @@ static int evm_protect_xattr(struct dent
+  * @xattr_value: pointer to the new extended attribute value
+  * @xattr_value_len: pointer to the new extended attribute value length
+  *
+- * Updating 'security.evm' requires CAP_SYS_ADMIN privileges and that
+- * the current value is valid.
++ * Before allowing the 'security.evm' protected xattr to be updated,
++ * verify the existing value is valid.  As only the kernel should have
++ * access to the EVM encrypted key needed to calculate the HMAC, prevent
++ * userspace from writing HMAC value.  Writing 'security.evm' requires
++ * requires CAP_SYS_ADMIN privileges.
+  */
+ int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
+ 		       const void *xattr_value, size_t xattr_value_len)
+ {
++	const struct evm_ima_xattr_data *xattr_data = xattr_value;
++
++	if ((strcmp(xattr_name, XATTR_NAME_EVM) == 0)
++	    && (xattr_data->type == EVM_XATTR_HMAC))
++		return -EPERM;
+ 	return evm_protect_xattr(dentry, xattr_name, xattr_value,
+ 				 xattr_value_len);
+ }
diff --git a/queue-3.4/series b/queue-3.4/series
index a2a1404f604..3ae5bb37ec2 100644
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -1 +1,2 @@
 iscsi-target-reject-mutual-authentication-with-reflected-chap_c.patch
+evm-prohibit-userspace-writing-security.evm-hmac-value.patch
-- 
2.47.3