aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2011-03-09 14:40:44 -0500
committerMimi Zohar <zohar@linux.vnet.ibm.com>2011-07-18 12:29:45 -0400
commitcb72318069d5e92eb74840118732c66eb38c812f (patch)
treeeb4e9a6c923567e01ddd1340f9430eb3c43f4aeb
parent975d294373d8c1c913ad2bf4eb93966d4c7ca38f (diff)
evm: add evm_inode_init_security to initialize new files
Initialize 'security.evm' for new files. Changelog v7: - renamed evm_inode_post_init_security to evm_inode_init_security - moved struct xattr definition to earlier patch - allocate xattr name Changelog v6: - Use 'struct evm_ima_xattr_data' Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
-rw-r--r--include/linux/evm.h11
-rw-r--r--security/integrity/evm/evm.h3
-rw-r--r--security/integrity/evm/evm_crypto.c20
-rw-r--r--security/integrity/evm/evm_main.c38
4 files changed, 72 insertions, 0 deletions
diff --git a/include/linux/evm.h b/include/linux/evm.h
index 33a92471e463..7c10761916a2 100644
--- a/include/linux/evm.h
+++ b/include/linux/evm.h
@@ -9,6 +9,7 @@
9#define _LINUX_EVM_H 9#define _LINUX_EVM_H
10 10
11#include <linux/integrity.h> 11#include <linux/integrity.h>
12#include <linux/xattr.h>
12 13
13#ifdef CONFIG_EVM 14#ifdef CONFIG_EVM
14extern enum integrity_status evm_verifyxattr(struct dentry *dentry, 15extern enum integrity_status evm_verifyxattr(struct dentry *dentry,
@@ -25,6 +26,9 @@ extern void evm_inode_post_setxattr(struct dentry *dentry,
25extern int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name); 26extern int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name);
26extern void evm_inode_post_removexattr(struct dentry *dentry, 27extern void evm_inode_post_removexattr(struct dentry *dentry,
27 const char *xattr_name); 28 const char *xattr_name);
29extern int evm_inode_init_security(struct inode *inode,
30 const struct xattr *xattr_array,
31 struct xattr *evm);
28#else 32#else
29#ifdef CONFIG_INTEGRITY 33#ifdef CONFIG_INTEGRITY
30static inline enum integrity_status evm_verifyxattr(struct dentry *dentry, 34static inline enum integrity_status evm_verifyxattr(struct dentry *dentry,
@@ -67,5 +71,12 @@ static inline void evm_inode_post_removexattr(struct dentry *dentry,
67 return; 71 return;
68} 72}
69 73
74static inline int evm_inode_init_security(struct inode *inode,
75 const struct xattr *xattr_array,
76 struct xattr *evm)
77{
78 return -EOPNOTSUPP;
79}
80
70#endif /* CONFIG_EVM_H */ 81#endif /* CONFIG_EVM_H */
71#endif /* LINUX_EVM_H */ 82#endif /* LINUX_EVM_H */
diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
index 375dc3e6015c..a45d0d630a30 100644
--- a/security/integrity/evm/evm.h
+++ b/security/integrity/evm/evm.h
@@ -12,6 +12,7 @@
12 * File: evm.h 12 * File: evm.h
13 * 13 *
14 */ 14 */
15#include <linux/xattr.h>
15#include <linux/security.h> 16#include <linux/security.h>
16#include "../integrity.h" 17#include "../integrity.h"
17 18
@@ -29,5 +30,7 @@ extern int evm_update_evmxattr(struct dentry *dentry,
29extern int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name, 30extern int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name,
30 const char *req_xattr_value, 31 const char *req_xattr_value,
31 size_t req_xattr_value_len, char *digest); 32 size_t req_xattr_value_len, char *digest);
33extern int evm_init_hmac(struct inode *inode, const struct xattr *xattr,
34 char *hmac_val);
32extern int evm_init_secfs(void); 35extern int evm_init_secfs(void);
33extern void evm_cleanup_secfs(void); 36extern void evm_cleanup_secfs(void);
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index c631b99bda95..c9902bddcb9a 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -157,6 +157,26 @@ int evm_update_evmxattr(struct dentry *dentry, const char *xattr_name,
157 return rc; 157 return rc;
158} 158}
159 159
160int evm_init_hmac(struct inode *inode, const struct xattr *lsm_xattr,
161 char *hmac_val)
162{
163 struct hash_desc desc;
164 struct scatterlist sg[1];
165 int error;
166
167 error = init_desc(&desc);
168 if (error != 0) {
169 printk(KERN_INFO "init_desc failed\n");
170 return error;
171 }
172
173 sg_init_one(sg, lsm_xattr->value, lsm_xattr->value_len);
174 crypto_hash_update(&desc, sg, lsm_xattr->value_len);
175 hmac_add_misc(&desc, inode, hmac_val);
176 crypto_free_hash(desc.tfm);
177 return 0;
178}
179
160/* 180/*
161 * Get the key from the TPM for the SHA1-HMAC 181 * Get the key from the TPM for the SHA1-HMAC
162 */ 182 */
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 1746c3669c6f..23486355f443 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -98,6 +98,12 @@ static int evm_protected_xattr(const char *req_xattr_name)
98 found = 1; 98 found = 1;
99 break; 99 break;
100 } 100 }
101 if (strncmp(req_xattr_name,
102 *xattrname + XATTR_SECURITY_PREFIX_LEN,
103 strlen(req_xattr_name)) == 0) {
104 found = 1;
105 break;
106 }
101 } 107 }
102 return found; 108 return found;
103} 109}
@@ -245,6 +251,38 @@ void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
245 return; 251 return;
246} 252}
247 253
254/*
255 * evm_inode_init_security - initializes security.evm
256 */
257int evm_inode_init_security(struct inode *inode,
258 const struct xattr *lsm_xattr,
259 struct xattr *evm_xattr)
260{
261 struct evm_ima_xattr_data *xattr_data;
262 int rc;
263
264 if (!evm_initialized || !evm_protected_xattr(lsm_xattr->name))
265 return -EOPNOTSUPP;
266
267 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
268 if (!xattr_data)
269 return -ENOMEM;
270
271 xattr_data->type = EVM_XATTR_HMAC;
272 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
273 if (rc < 0)
274 goto out;
275
276 evm_xattr->value = xattr_data;
277 evm_xattr->value_len = sizeof(*xattr_data);
278 evm_xattr->name = kstrdup(XATTR_EVM_SUFFIX, GFP_NOFS);
279 return 0;
280out:
281 kfree(xattr_data);
282 return rc;
283}
284EXPORT_SYMBOL_GPL(evm_inode_init_security);
285
248static struct crypto_hash *tfm_hmac; /* preload crypto alg */ 286static struct crypto_hash *tfm_hmac; /* preload crypto alg */
249static int __init init_evm(void) 287static int __init init_evm(void)
250{ 288{