evm: Don't update hmacs in user ns mounts

The kernel should not calculate new hmacs for mounts done by non-root users. Update evm_calc_hmac_or_hash() to refuse to calculate new hmacs for mounts for non-init user namespaces. Cc: [email protected] Cc: [email protected] Cc: [email protected] Cc: James Morris <[email protected]> Cc: Mimi Zohar <[email protected]> Cc: "Serge E. Hallyn" <[email protected]> Signed-off-by: Seth Forshee <[email protected]> Signed-off-by: Dongsu Park <[email protected]> Signed-off-by: Eric W. Biederman <[email protected]>
chewitt · May 3, 2018 · a3a5c96 · a3a5c96
1 parent 6da6c0d
commit a3a5c96
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
@@ -200,7 +200,8 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry,
 	int size;
 	bool ima_present = false;
 
-	if (!(inode->i_opflags & IOP_XATTR))
+	if (!(inode->i_opflags & IOP_XATTR) ||
+	    inode->i_sb->s_user_ns != &init_user_ns)
 		return -EOPNOTSUPP;
 
 	desc = init_desc(type);