diff options
Diffstat (limited to 'security/integrity/evm/evm_main.c')
| -rw-r--r-- | security/integrity/evm/evm_main.c | 29 |
1 files changed, 26 insertions, 3 deletions
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 6e0bd933b6a9..3bcb80df4d01 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c | |||
| @@ -32,7 +32,7 @@ static char *integrity_status_msg[] = { | |||
| 32 | }; | 32 | }; |
| 33 | char *evm_hmac = "hmac(sha1)"; | 33 | char *evm_hmac = "hmac(sha1)"; |
| 34 | char *evm_hash = "sha1"; | 34 | char *evm_hash = "sha1"; |
| 35 | int evm_hmac_version = CONFIG_EVM_HMAC_VERSION; | 35 | int evm_hmac_attrs; |
| 36 | 36 | ||
| 37 | char *evm_config_xattrnames[] = { | 37 | char *evm_config_xattrnames[] = { |
| 38 | #ifdef CONFIG_SECURITY_SELINUX | 38 | #ifdef CONFIG_SECURITY_SELINUX |
| @@ -40,6 +40,11 @@ char *evm_config_xattrnames[] = { | |||
| 40 | #endif | 40 | #endif |
| 41 | #ifdef CONFIG_SECURITY_SMACK | 41 | #ifdef CONFIG_SECURITY_SMACK |
| 42 | XATTR_NAME_SMACK, | 42 | XATTR_NAME_SMACK, |
| 43 | #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS | ||
| 44 | XATTR_NAME_SMACKEXEC, | ||
| 45 | XATTR_NAME_SMACKTRANSMUTE, | ||
| 46 | XATTR_NAME_SMACKMMAP, | ||
| 47 | #endif | ||
| 43 | #endif | 48 | #endif |
| 44 | #ifdef CONFIG_IMA_APPRAISE | 49 | #ifdef CONFIG_IMA_APPRAISE |
| 45 | XATTR_NAME_IMA, | 50 | XATTR_NAME_IMA, |
| @@ -57,6 +62,14 @@ static int __init evm_set_fixmode(char *str) | |||
| 57 | } | 62 | } |
| 58 | __setup("evm=", evm_set_fixmode); | 63 | __setup("evm=", evm_set_fixmode); |
| 59 | 64 | ||
| 65 | static void __init evm_init_config(void) | ||
| 66 | { | ||
| 67 | #ifdef CONFIG_EVM_ATTR_FSUUID | ||
| 68 | evm_hmac_attrs |= EVM_ATTR_FSUUID; | ||
| 69 | #endif | ||
| 70 | pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs); | ||
| 71 | } | ||
| 72 | |||
| 60 | static int evm_find_protected_xattrs(struct dentry *dentry) | 73 | static int evm_find_protected_xattrs(struct dentry *dentry) |
| 61 | { | 74 | { |
| 62 | struct inode *inode = dentry->d_inode; | 75 | struct inode *inode = dentry->d_inode; |
| @@ -287,12 +300,20 @@ out: | |||
| 287 | * @xattr_value: pointer to the new extended attribute value | 300 | * @xattr_value: pointer to the new extended attribute value |
| 288 | * @xattr_value_len: pointer to the new extended attribute value length | 301 | * @xattr_value_len: pointer to the new extended attribute value length |
| 289 | * | 302 | * |
| 290 | * Updating 'security.evm' requires CAP_SYS_ADMIN privileges and that | 303 | * Before allowing the 'security.evm' protected xattr to be updated, |
| 291 | * the current value is valid. | 304 | * verify the existing value is valid. As only the kernel should have |
| 305 | * access to the EVM encrypted key needed to calculate the HMAC, prevent | ||
| 306 | * userspace from writing HMAC value. Writing 'security.evm' requires | ||
| 307 | * requires CAP_SYS_ADMIN privileges. | ||
| 292 | */ | 308 | */ |
| 293 | int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, | 309 | int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, |
| 294 | const void *xattr_value, size_t xattr_value_len) | 310 | const void *xattr_value, size_t xattr_value_len) |
| 295 | { | 311 | { |
| 312 | const struct evm_ima_xattr_data *xattr_data = xattr_value; | ||
| 313 | |||
| 314 | if ((strcmp(xattr_name, XATTR_NAME_EVM) == 0) | ||
| 315 | && (xattr_data->type == EVM_XATTR_HMAC)) | ||
| 316 | return -EPERM; | ||
| 296 | return evm_protect_xattr(dentry, xattr_name, xattr_value, | 317 | return evm_protect_xattr(dentry, xattr_name, xattr_value, |
| 297 | xattr_value_len); | 318 | xattr_value_len); |
| 298 | } | 319 | } |
| @@ -432,6 +453,8 @@ static int __init init_evm(void) | |||
| 432 | { | 453 | { |
| 433 | int error; | 454 | int error; |
| 434 | 455 | ||
| 456 | evm_init_config(); | ||
| 457 | |||
| 435 | error = evm_init_secfs(); | 458 | error = evm_init_secfs(); |
| 436 | if (error < 0) { | 459 | if (error < 0) { |
| 437 | pr_info("Error registering secfs\n"); | 460 | pr_info("Error registering secfs\n"); |