diff options
| author | Dmitry Kasatkin <d.kasatkin@samsung.com> | 2014-03-28 08:31:14 -0400 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2014-06-12 17:58:06 -0400 |
| commit | 3e38df56e6ef736f3ab516664697b55caa8f3238 (patch) | |
| tree | 4d036957c07f05a0c5150e6af4111985de2abd59 /security | |
| parent | d3b33679481d52ef02311119d4342a9a1f3d84db (diff) | |
evm: provide option to protect additional SMACK xattrs
Newer versions of SMACK introduced following security xattrs:
SMACK64EXEC, SMACK64TRANSMUTE and SMACK64MMAP.
To protect these xattrs, this patch includes them in the HMAC
calculation. However, for backwards compatibility with existing
labeled filesystems, including these xattrs needs to be
configurable.
Changelog:
- Add SMACK dependency on new option (Mimi)
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/integrity/evm/Kconfig | 17 | ||||
| -rw-r--r-- | security/integrity/evm/evm_main.c | 5 |
2 files changed, 22 insertions, 0 deletions
diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig index 0df4f7a2f1e9..d606f3d12d6b 100644 --- a/security/integrity/evm/Kconfig +++ b/security/integrity/evm/Kconfig | |||
| @@ -30,6 +30,23 @@ config EVM_ATTR_FSUUID | |||
| 30 | additional info to the calculation, requires existing EVM | 30 | additional info to the calculation, requires existing EVM |
| 31 | labeled file systems to be relabeled. | 31 | labeled file systems to be relabeled. |
| 32 | 32 | ||
| 33 | config EVM_EXTRA_SMACK_XATTRS | ||
| 34 | bool "Additional SMACK xattrs" | ||
| 35 | depends on EVM && SECURITY_SMACK | ||
| 36 | default n | ||
| 37 | help | ||
| 38 | Include additional SMACK xattrs for HMAC calculation. | ||
| 39 | |||
| 40 | In addition to the original security xattrs (eg. security.selinux, | ||
| 41 | security.SMACK64, security.capability, and security.ima) included | ||
| 42 | in the HMAC calculation, enabling this option includes newly defined | ||
| 43 | Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and | ||
| 44 | security.SMACK64MMAP. | ||
| 45 | |||
| 46 | WARNING: changing the HMAC calculation method or adding | ||
| 47 | additional info to the calculation, requires existing EVM | ||
| 48 | labeled file systems to be relabeled. | ||
| 49 | |||
| 33 | endmenu | 50 | endmenu |
| 34 | 51 | ||
| 35 | endif | 52 | endif |
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 1dc09190a948..73baf7168843 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c | |||
| @@ -40,6 +40,11 @@ char *evm_config_xattrnames[] = { | |||
| 40 | #endif | 40 | #endif |
| 41 | #ifdef CONFIG_SECURITY_SMACK | 41 | #ifdef CONFIG_SECURITY_SMACK |
| 42 | XATTR_NAME_SMACK, | 42 | XATTR_NAME_SMACK, |
| 43 | #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS | ||
| 44 | XATTR_NAME_SMACKEXEC, | ||
| 45 | XATTR_NAME_SMACKTRANSMUTE, | ||
| 46 | XATTR_NAME_SMACKMMAP, | ||
| 47 | #endif | ||
| 43 | #endif | 48 | #endif |
| 44 | #ifdef CONFIG_IMA_APPRAISE | 49 | #ifdef CONFIG_IMA_APPRAISE |
| 45 | XATTR_NAME_IMA, | 50 | XATTR_NAME_IMA, |