evm: labeling pseudo filesystems exception
To prevent offline stripping of existing file xattrs and relabeling of them at runtime, EVM allows only newly created files to be labeled. As pseudo filesystems are not persistent, stripping of xattrs is not a concern. Some LSMs defer file labeling on pseudo filesystems. This patch permits the labeling of existing files on pseudo files systems. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
This commit is contained in:
parent
a18d0cbfab
commit
5101a1850b
@ -296,6 +296,17 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
|
||||
iint = integrity_iint_find(d_backing_inode(dentry));
|
||||
if (iint && (iint->flags & IMA_NEW_FILE))
|
||||
return 0;
|
||||
|
||||
/* exception for pseudo filesystems */
|
||||
if (dentry->d_inode->i_sb->s_magic == TMPFS_MAGIC
|
||||
|| dentry->d_inode->i_sb->s_magic == SYSFS_MAGIC)
|
||||
return 0;
|
||||
|
||||
integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
|
||||
dentry->d_inode, dentry->d_name.name,
|
||||
"update_metadata",
|
||||
integrity_status_msg[evm_status],
|
||||
-EPERM, 0);
|
||||
}
|
||||
out:
|
||||
if (evm_status != INTEGRITY_PASS)
|
||||
|
Loading…
Reference in New Issue
Block a user