diff options
author | Gary S. Robertson <gary.robertson@linaro.org> | 2014-07-16 17:57:27 -0500 |
---|---|---|
committer | Gary S. Robertson <gary.robertson@linaro.org> | 2014-07-16 17:57:27 -0500 |
commit | 5d8c39dfa92c11553a1091717407aeaddc3de603 (patch) | |
tree | 0df1e82ebdde6b9e3722fd16f9195be36a73c144 /security/integrity/evm | |
parent | 0993b170ac452761d5b49bca4f7022f2f14c50bc (diff) | |
parent | c0cbbdebe91a944d653ca75670b77bbf57498150 (diff) |
Merge tag 'v3.14.12' of git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable into linux-lng-v3.14.xlinux-lng-3.14.12-2014.07
This is the 3.14.12 stable release
Conflicts:
arch/arm/mm/proc-v7-3level.S
kernel/hrtimer.c
mm/hugetlb.c
Diffstat (limited to 'security/integrity/evm')
-rw-r--r-- | security/integrity/evm/evm_main.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 336b3ddfe63f..3c5cbb977254 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -285,12 +285,20 @@ out: * @xattr_value: pointer to the new extended attribute value * @xattr_value_len: pointer to the new extended attribute value length * - * Updating 'security.evm' requires CAP_SYS_ADMIN privileges and that - * the current value is valid. + * Before allowing the 'security.evm' protected xattr to be updated, + * verify the existing value is valid. As only the kernel should have + * access to the EVM encrypted key needed to calculate the HMAC, prevent + * userspace from writing HMAC value. Writing 'security.evm' requires + * requires CAP_SYS_ADMIN privileges. */ int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, size_t xattr_value_len) { + const struct evm_ima_xattr_data *xattr_data = xattr_value; + + if ((strcmp(xattr_name, XATTR_NAME_EVM) == 0) + && (xattr_data->type == EVM_XATTR_HMAC)) + return -EPERM; return evm_protect_xattr(dentry, xattr_name, xattr_value, xattr_value_len); } |