aboutsummaryrefslogtreecommitdiffstats
path: root/security/integrity/evm
diff options
context:
space:
mode:
authorDmitry Kasatkin <d.kasatkin@samsung.com>2014-03-28 08:31:04 -0400
committerMimi Zohar <zohar@linux.vnet.ibm.com>2014-06-12 17:58:06 -0400
commitd3b33679481d52ef02311119d4342a9a1f3d84db (patch)
tree5e23d255b52239a4d478dc8b56e49871a4b732c4 /security/integrity/evm
parent060bdebfb0b82751be89c0ce4b6e2c88606a354b (diff)
evm: replace HMAC version with attribute mask
Using HMAC version limits the posibility to arbitrarily add new attributes such as SMACK64EXEC to the hmac calculation. This patch replaces hmac version with attribute mask. Desired attributes can be enabled with configuration parameter. It allows to build kernels which works with previously labeled filesystems. Currently supported attribute is 'fsuuid' which is equivalent of the former version 2. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity/evm')
-rw-r--r--security/integrity/evm/Kconfig25
-rw-r--r--security/integrity/evm/evm.h5
-rw-r--r--security/integrity/evm/evm_crypto.c2
-rw-r--r--security/integrity/evm/evm_main.c12
4 files changed, 33 insertions, 11 deletions
diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index d35b4915b00d..0df4f7a2f1e9 100644
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -12,15 +12,24 @@ config EVM
12 12
13 If you are unsure how to answer this question, answer N. 13 If you are unsure how to answer this question, answer N.
14 14
15config EVM_HMAC_VERSION 15if EVM
16 int "EVM HMAC version" 16
17menu "EVM options"
18
19config EVM_ATTR_FSUUID
20 bool "FSUUID (version 2)"
21 default y
17 depends on EVM 22 depends on EVM
18 default 2
19 help 23 help
20 This options adds EVM HMAC version support. 24 Include filesystem UUID for HMAC calculation.
21 1 - original version 25
22 2 - add per filesystem unique identifier (UUID) (default) 26 Default value is 'selected', which is former version 2.
27 if 'not selected', it is former version 1
23 28
24 WARNING: changing the HMAC calculation method or adding 29 WARNING: changing the HMAC calculation method or adding
25 additional info to the calculation, requires existing EVM 30 additional info to the calculation, requires existing EVM
26 labeled file systems to be relabeled. 31 labeled file systems to be relabeled.
32
33endmenu
34
35endif
diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
index 37c88ddb3cfe..88bfe77efa1c 100644
--- a/security/integrity/evm/evm.h
+++ b/security/integrity/evm/evm.h
@@ -24,7 +24,10 @@
24extern int evm_initialized; 24extern int evm_initialized;
25extern char *evm_hmac; 25extern char *evm_hmac;
26extern char *evm_hash; 26extern char *evm_hash;
27extern int evm_hmac_version; 27
28#define EVM_ATTR_FSUUID 0x0001
29
30extern int evm_hmac_attrs;
28 31
29extern struct crypto_shash *hmac_tfm; 32extern struct crypto_shash *hmac_tfm;
30extern struct crypto_shash *hash_tfm; 33extern struct crypto_shash *hash_tfm;
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index 6b540f1822e0..5e9687f02e1b 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -112,7 +112,7 @@ static void hmac_add_misc(struct shash_desc *desc, struct inode *inode,
112 hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid); 112 hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid);
113 hmac_misc.mode = inode->i_mode; 113 hmac_misc.mode = inode->i_mode;
114 crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof(hmac_misc)); 114 crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof(hmac_misc));
115 if (evm_hmac_version > 1) 115 if (evm_hmac_attrs & EVM_ATTR_FSUUID)
116 crypto_shash_update(desc, inode->i_sb->s_uuid, 116 crypto_shash_update(desc, inode->i_sb->s_uuid,
117 sizeof(inode->i_sb->s_uuid)); 117 sizeof(inode->i_sb->s_uuid));
118 crypto_shash_final(desc, digest); 118 crypto_shash_final(desc, digest);
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 6e0bd933b6a9..1dc09190a948 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -32,7 +32,7 @@ static char *integrity_status_msg[] = {
32}; 32};
33char *evm_hmac = "hmac(sha1)"; 33char *evm_hmac = "hmac(sha1)";
34char *evm_hash = "sha1"; 34char *evm_hash = "sha1";
35int evm_hmac_version = CONFIG_EVM_HMAC_VERSION; 35int evm_hmac_attrs;
36 36
37char *evm_config_xattrnames[] = { 37char *evm_config_xattrnames[] = {
38#ifdef CONFIG_SECURITY_SELINUX 38#ifdef CONFIG_SECURITY_SELINUX
@@ -57,6 +57,14 @@ static int __init evm_set_fixmode(char *str)
57} 57}
58__setup("evm=", evm_set_fixmode); 58__setup("evm=", evm_set_fixmode);
59 59
60static void __init evm_init_config(void)
61{
62#ifdef CONFIG_EVM_ATTR_FSUUID
63 evm_hmac_attrs |= EVM_ATTR_FSUUID;
64#endif
65 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
66}
67
60static int evm_find_protected_xattrs(struct dentry *dentry) 68static int evm_find_protected_xattrs(struct dentry *dentry)
61{ 69{
62 struct inode *inode = dentry->d_inode; 70 struct inode *inode = dentry->d_inode;
@@ -432,6 +440,8 @@ static int __init init_evm(void)
432{ 440{
433 int error; 441 int error;
434 442
443 evm_init_config();
444
435 error = evm_init_secfs(); 445 error = evm_init_secfs();
436 if (error < 0) { 446 if (error < 0) {
437 pr_info("Error registering secfs\n"); 447 pr_info("Error registering secfs\n");