security: imbed evm calls in security hooks

Imbed the evm calls evm_inode_setxattr(), evm_inode_post_setxattr(), evm_inode_removexattr() in the security hooks. evm_inode_setxattr() protects security.evm xattr. evm_inode_post_setxattr() and evm_inode_removexattr() updates the hmac associated with an inode. (Assumes an LSM module protects the setting/removing of xattr.) Changelog: - Don't define evm_verifyxattr(), unless CONFIG_INTEGRITY is enabled. - xattr_name is a 'const', value is 'void *' Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
author: Mimi Zohar <zohar@linux.vnet.ibm.com> 2011-03-09 14:38:26 -0500
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> 2011-07-18 12:29:42 -0400
commit: 3e1be52d6c6b21d9080dd886c0e609e009831562 (patch)
tree: 2947250698b89eed0149af2d69a33b303c4d6be4 /include/linux/evm.h
parent: 6be5cc5246f807fd8ede9f5f1bb2826f2c598658 (diff)
1 files changed, 56 insertions, 0 deletions
diff --git a/include/linux/evm.h b/include/linux/evm.h
new file mode 100644
index 000000000000..8b4e9e3b395e
--- /dev/null
+++ b/include/linux/evm.h
@@ -0,0 +1,56 @@
+/*
+ * evm.h
+ *
+ * Copyright (c) 2009 IBM Corporation
+ * Author: Mimi Zohar <zohar@us.ibm.com>
+ */
+#ifndef _LINUX_EVM_H
+#define _LINUX_EVM_H
+#include <linux/integrity.h>
+#ifdef CONFIG_EVM
+extern enum integrity_status evm_verifyxattr(struct dentry *dentry,
+                                             const char *xattr_name,
+                                             void *xattr_value,
+                                             size_t xattr_value_len);
+extern int evm_inode_setxattr(struct dentry *dentry, const char *name,
+                              const void *value, size_t size);
+extern void evm_inode_post_setxattr(struct dentry *dentry,
+                                    const char *xattr_name,
+                                    const void *xattr_value,
+                                    size_t xattr_value_len);
+extern int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name);
+#else
+#ifdef CONFIG_INTEGRITY
+static inline enum integrity_status evm_verifyxattr(struct dentry *dentry,
+                                                    const char *xattr_name,
+                                                    void *xattr_value,
+                                                    size_t xattr_value_len)
+{
+        return INTEGRITY_UNKNOWN;
+}
+#endif
+static inline int evm_inode_setxattr(struct dentry *dentry, const char *name,
+                                     const void *value, size_t size)
+{
+        return 0;
+}
+static inline void evm_inode_post_setxattr(struct dentry *dentry,
+                                           const char *xattr_name,
+                                           const void *xattr_value,
+                                           size_t xattr_value_len)
+{
+        return;
+}
+static inline int evm_inode_removexattr(struct dentry *dentry,
+                                        const char *xattr_name)
+{
+        return 0;
+}
+#endif /* CONFIG_EVM_H */
+#endif /* LINUX_EVM_H */
author	Mimi Zohar <zohar@linux.vnet.ibm.com>	2011-03-09 14:38:26 -0500
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	2011-07-18 12:29:42 -0400
commit	3e1be52d6c6b21d9080dd886c0e609e009831562 (patch)
tree	2947250698b89eed0149af2d69a33b303c4d6be4 /include/linux/evm.h
parent	6be5cc5246f807fd8ede9f5f1bb2826f2c598658 (diff)

diff --git a/include/linux/evm.h b/include/linux/evm.h new file mode 100644 index 000000000000..8b4e9e3b395e --- /dev/null +++ b/include/linux/evm.h
@@ -0,0 +1,56 @@
	1	/*
	2	* evm.h
	3	*
	4	* Copyright (c) 2009 IBM Corporation
	5	* Author: Mimi Zohar <zohar@us.ibm.com>
	6	*/
	7
	8	#ifndef _LINUX_EVM_H
	9	#define _LINUX_EVM_H
	10
	11	#include <linux/integrity.h>
	12
	13	#ifdef CONFIG_EVM
	14	extern enum integrity_status evm_verifyxattr(struct dentry *dentry,
	15	const char *xattr_name,
	16	void *xattr_value,
	17	size_t xattr_value_len);
	18	extern int evm_inode_setxattr(struct dentry dentry, const char name,
	19	const void *value, size_t size);
	20	extern void evm_inode_post_setxattr(struct dentry *dentry,
	21	const char *xattr_name,
	22	const void *xattr_value,
	23	size_t xattr_value_len);
	24	extern int evm_inode_removexattr(struct dentry dentry, const char xattr_name);
	25	#else
	26	#ifdef CONFIG_INTEGRITY
	27	static inline enum integrity_status evm_verifyxattr(struct dentry *dentry,
	28	const char *xattr_name,
	29	void *xattr_value,
	30	size_t xattr_value_len)
	31	{
	32	return INTEGRITY_UNKNOWN;
	33	}
	34	#endif
	35
	36	static inline int evm_inode_setxattr(struct dentry dentry, const char name,
	37	const void *value, size_t size)
	38	{
	39	return 0;
	40	}
	41
	42	static inline void evm_inode_post_setxattr(struct dentry *dentry,
	43	const char *xattr_name,
	44	const void *xattr_value,
	45	size_t xattr_value_len)
	46	{
	47	return;
	48	}
	49
	50	static inline int evm_inode_removexattr(struct dentry *dentry,
	51	const char *xattr_name)
	52	{
	53	return 0;
	54	}
	55	#endif /* CONFIG_EVM_H */
	56	#endif /* LINUX_EVM_H */