3.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> commit 5101a1850bb7ccbf107929dee9af0cd2f400940f upstream. To prevent offline stripping of existing file xattrs and relabeling of them at runtime, EVM allows only newly created files to be labeled. As pseudo filesystems are not persistent, stripping of xattrs is not a concern. Some LSMs defer file labeling on pseudo filesystems. This patch permits the labeling of existing files on pseudo files systems. Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- security/integrity/evm/evm_main.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -20,6 +20,7 @@ #include <linux/xattr.h> #include <linux/integrity.h> #include <linux/evm.h> +#include <linux/magic.h> #include <crypto/hash.h> #include "evm.h" @@ -275,6 +276,17 @@ static int evm_protect_xattr(struct dent iint = integrity_iint_find(dentry->d_inode); if (iint && (iint->flags & IMA_NEW_FILE)) return 0; + + /* exception for pseudo filesystems */ + if (dentry->d_inode->i_sb->s_magic == TMPFS_MAGIC + || dentry->d_inode->i_sb->s_magic == SYSFS_MAGIC) + return 0; + + integrity_audit_msg(AUDIT_INTEGRITY_METADATA, + dentry->d_inode, dentry->d_name.name, + "update_metadata", + integrity_status_msg[evm_status], + -EPERM, 0); } out: if (evm_status != INTEGRITY_PASS) -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html