[Linux-ima-user] [RFC 1/2] evm: Ignore EVM xattrs from user namespace mounts

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Ignore these xattrs in filesystems mounted in non-init user
namespaces to avoid preventing access to files, and refuse to
calculate new hmacs for files in these mounts. Writing EVM xattrs
from userspace already requires global CAP_SYS_ADMIN, so no
changes are required to prevent this.

Signed-off-by: Seth Forshee <set...@ca...>
---
 security/integrity/evm/evm_crypto.c | 2 +-
 security/integrity/evm/evm_main.c   | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index 11c1d30bd705..5a1738524fbb 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -182,7 +182,7 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry,
 	int error;
 	int size;
 
-	if (!inode->i_op->getxattr)
+	if (inode->i_sb->s_user_ns != &init_user_ns || !inode->i_op->getxattr)
 		return -EOPNOTSUPP;
 	desc = init_desc(type);
 	if (IS_ERR(desc))
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 35ab453ce861..7590f010d639 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -118,6 +118,9 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
 	enum integrity_status evm_status = INTEGRITY_PASS;
 	int rc, xattr_len;
 
+	if (d_backing_inode(dentry)->i_sb->s_user_ns != &init_user_ns)
+		return INTEGRITY_UNKNOWN;
+
 	if (iint && iint->evm_status == INTEGRITY_PASS)
 		return iint->evm_status;
 
-- 
2.7.4



