diff options
author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2011-03-09 14:40:44 -0500 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2011-07-18 12:29:45 -0400 |
commit | cb72318069d5e92eb74840118732c66eb38c812f (patch) | |
tree | eb4e9a6c923567e01ddd1340f9430eb3c43f4aeb | |
parent | 975d294373d8c1c913ad2bf4eb93966d4c7ca38f (diff) |
evm: add evm_inode_init_security to initialize new files
Initialize 'security.evm' for new files.
Changelog v7:
- renamed evm_inode_post_init_security to evm_inode_init_security
- moved struct xattr definition to earlier patch
- allocate xattr name
Changelog v6:
- Use 'struct evm_ima_xattr_data'
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
-rw-r--r-- | include/linux/evm.h | 11 | ||||
-rw-r--r-- | security/integrity/evm/evm.h | 3 | ||||
-rw-r--r-- | security/integrity/evm/evm_crypto.c | 20 | ||||
-rw-r--r-- | security/integrity/evm/evm_main.c | 38 |
4 files changed, 72 insertions, 0 deletions
diff --git a/include/linux/evm.h b/include/linux/evm.h index 33a92471e463..7c10761916a2 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h | |||
@@ -9,6 +9,7 @@ | |||
9 | #define _LINUX_EVM_H | 9 | #define _LINUX_EVM_H |
10 | 10 | ||
11 | #include <linux/integrity.h> | 11 | #include <linux/integrity.h> |
12 | #include <linux/xattr.h> | ||
12 | 13 | ||
13 | #ifdef CONFIG_EVM | 14 | #ifdef CONFIG_EVM |
14 | extern enum integrity_status evm_verifyxattr(struct dentry *dentry, | 15 | extern enum integrity_status evm_verifyxattr(struct dentry *dentry, |
@@ -25,6 +26,9 @@ extern void evm_inode_post_setxattr(struct dentry *dentry, | |||
25 | extern int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name); | 26 | extern int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name); |
26 | extern void evm_inode_post_removexattr(struct dentry *dentry, | 27 | extern void evm_inode_post_removexattr(struct dentry *dentry, |
27 | const char *xattr_name); | 28 | const char *xattr_name); |
29 | extern int evm_inode_init_security(struct inode *inode, | ||
30 | const struct xattr *xattr_array, | ||
31 | struct xattr *evm); | ||
28 | #else | 32 | #else |
29 | #ifdef CONFIG_INTEGRITY | 33 | #ifdef CONFIG_INTEGRITY |
30 | static inline enum integrity_status evm_verifyxattr(struct dentry *dentry, | 34 | static inline enum integrity_status evm_verifyxattr(struct dentry *dentry, |
@@ -67,5 +71,12 @@ static inline void evm_inode_post_removexattr(struct dentry *dentry, | |||
67 | return; | 71 | return; |
68 | } | 72 | } |
69 | 73 | ||
74 | static inline int evm_inode_init_security(struct inode *inode, | ||
75 | const struct xattr *xattr_array, | ||
76 | struct xattr *evm) | ||
77 | { | ||
78 | return -EOPNOTSUPP; | ||
79 | } | ||
80 | |||
70 | #endif /* CONFIG_EVM_H */ | 81 | #endif /* CONFIG_EVM_H */ |
71 | #endif /* LINUX_EVM_H */ | 82 | #endif /* LINUX_EVM_H */ |
diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h index 375dc3e6015c..a45d0d630a30 100644 --- a/security/integrity/evm/evm.h +++ b/security/integrity/evm/evm.h | |||
@@ -12,6 +12,7 @@ | |||
12 | * File: evm.h | 12 | * File: evm.h |
13 | * | 13 | * |
14 | */ | 14 | */ |
15 | #include <linux/xattr.h> | ||
15 | #include <linux/security.h> | 16 | #include <linux/security.h> |
16 | #include "../integrity.h" | 17 | #include "../integrity.h" |
17 | 18 | ||
@@ -29,5 +30,7 @@ extern int evm_update_evmxattr(struct dentry *dentry, | |||
29 | extern int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name, | 30 | extern int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name, |
30 | const char *req_xattr_value, | 31 | const char *req_xattr_value, |
31 | size_t req_xattr_value_len, char *digest); | 32 | size_t req_xattr_value_len, char *digest); |
33 | extern int evm_init_hmac(struct inode *inode, const struct xattr *xattr, | ||
34 | char *hmac_val); | ||
32 | extern int evm_init_secfs(void); | 35 | extern int evm_init_secfs(void); |
33 | extern void evm_cleanup_secfs(void); | 36 | extern void evm_cleanup_secfs(void); |
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c index c631b99bda95..c9902bddcb9a 100644 --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c | |||
@@ -157,6 +157,26 @@ int evm_update_evmxattr(struct dentry *dentry, const char *xattr_name, | |||
157 | return rc; | 157 | return rc; |
158 | } | 158 | } |
159 | 159 | ||
160 | int evm_init_hmac(struct inode *inode, const struct xattr *lsm_xattr, | ||
161 | char *hmac_val) | ||
162 | { | ||
163 | struct hash_desc desc; | ||
164 | struct scatterlist sg[1]; | ||
165 | int error; | ||
166 | |||
167 | error = init_desc(&desc); | ||
168 | if (error != 0) { | ||
169 | printk(KERN_INFO "init_desc failed\n"); | ||
170 | return error; | ||
171 | } | ||
172 | |||
173 | sg_init_one(sg, lsm_xattr->value, lsm_xattr->value_len); | ||
174 | crypto_hash_update(&desc, sg, lsm_xattr->value_len); | ||
175 | hmac_add_misc(&desc, inode, hmac_val); | ||
176 | crypto_free_hash(desc.tfm); | ||
177 | return 0; | ||
178 | } | ||
179 | |||
160 | /* | 180 | /* |
161 | * Get the key from the TPM for the SHA1-HMAC | 181 | * Get the key from the TPM for the SHA1-HMAC |
162 | */ | 182 | */ |
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 1746c3669c6f..23486355f443 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c | |||
@@ -98,6 +98,12 @@ static int evm_protected_xattr(const char *req_xattr_name) | |||
98 | found = 1; | 98 | found = 1; |
99 | break; | 99 | break; |
100 | } | 100 | } |
101 | if (strncmp(req_xattr_name, | ||
102 | *xattrname + XATTR_SECURITY_PREFIX_LEN, | ||
103 | strlen(req_xattr_name)) == 0) { | ||
104 | found = 1; | ||
105 | break; | ||
106 | } | ||
101 | } | 107 | } |
102 | return found; | 108 | return found; |
103 | } | 109 | } |
@@ -245,6 +251,38 @@ void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) | |||
245 | return; | 251 | return; |
246 | } | 252 | } |
247 | 253 | ||
254 | /* | ||
255 | * evm_inode_init_security - initializes security.evm | ||
256 | */ | ||
257 | int evm_inode_init_security(struct inode *inode, | ||
258 | const struct xattr *lsm_xattr, | ||
259 | struct xattr *evm_xattr) | ||
260 | { | ||
261 | struct evm_ima_xattr_data *xattr_data; | ||
262 | int rc; | ||
263 | |||
264 | if (!evm_initialized || !evm_protected_xattr(lsm_xattr->name)) | ||
265 | return -EOPNOTSUPP; | ||
266 | |||
267 | xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); | ||
268 | if (!xattr_data) | ||
269 | return -ENOMEM; | ||
270 | |||
271 | xattr_data->type = EVM_XATTR_HMAC; | ||
272 | rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); | ||
273 | if (rc < 0) | ||
274 | goto out; | ||
275 | |||
276 | evm_xattr->value = xattr_data; | ||
277 | evm_xattr->value_len = sizeof(*xattr_data); | ||
278 | evm_xattr->name = kstrdup(XATTR_EVM_SUFFIX, GFP_NOFS); | ||
279 | return 0; | ||
280 | out: | ||
281 | kfree(xattr_data); | ||
282 | return rc; | ||
283 | } | ||
284 | EXPORT_SYMBOL_GPL(evm_inode_init_security); | ||
285 | |||
248 | static struct crypto_hash *tfm_hmac; /* preload crypto alg */ | 286 | static struct crypto_hash *tfm_hmac; /* preload crypto alg */ |
249 | static int __init init_evm(void) | 287 | static int __init init_evm(void) |
250 | { | 288 | { |