aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2013-02-21 09:31:22 -0500
committerMimi Zohar <zohar@linux.vnet.ibm.com>2013-06-20 07:47:50 -0400
commit9b97b6cdd420cd62dae972eafaae7494a7670607 (patch)
tree4f5958063eb57849e4687e4c5366b1212a1d9d6a /security
parentd726d8d719b6ac919cc4d5cae73831a2ffe36118 (diff)
evm: audit integrity metadata failures
Before modifying an EVM protected extended attribute or any other metadata included in the HMAC calculation, the existing 'security.evm' is verified. This patch adds calls to integrity_audit_msg() to audit integrity metadata failures. Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security')
-rw-r--r--security/integrity/evm/evm_main.c15
1 files changed, 14 insertions, 1 deletions
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index cdbde1762189..df0fa451a871 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -16,6 +16,7 @@
16 16
17#include <linux/module.h> 17#include <linux/module.h>
18#include <linux/crypto.h> 18#include <linux/crypto.h>
19#include <linux/audit.h>
19#include <linux/xattr.h> 20#include <linux/xattr.h>
20#include <linux/integrity.h> 21#include <linux/integrity.h>
21#include <linux/evm.h> 22#include <linux/evm.h>
@@ -24,6 +25,9 @@
24 25
25int evm_initialized; 26int evm_initialized;
26 27
28static char *integrity_status_msg[] = {
29 "pass", "fail", "no_label", "no_xattrs", "unknown"
30};
27char *evm_hmac = "hmac(sha1)"; 31char *evm_hmac = "hmac(sha1)";
28char *evm_hash = "sha1"; 32char *evm_hash = "sha1";
29int evm_hmac_version = CONFIG_EVM_HMAC_VERSION; 33int evm_hmac_version = CONFIG_EVM_HMAC_VERSION;
@@ -262,9 +266,15 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
262 if ((evm_status == INTEGRITY_PASS) || 266 if ((evm_status == INTEGRITY_PASS) ||
263 (evm_status == INTEGRITY_NOXATTRS)) 267 (evm_status == INTEGRITY_NOXATTRS))
264 return 0; 268 return 0;
265 return -EPERM; 269 goto out;
266 } 270 }
267 evm_status = evm_verify_current_integrity(dentry); 271 evm_status = evm_verify_current_integrity(dentry);
272out:
273 if (evm_status != INTEGRITY_PASS)
274 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, dentry->d_inode,
275 dentry->d_name.name, "appraise_metadata",
276 integrity_status_msg[evm_status],
277 -EPERM, 0);
268 return evm_status == INTEGRITY_PASS ? 0 : -EPERM; 278 return evm_status == INTEGRITY_PASS ? 0 : -EPERM;
269} 279}
270 280
@@ -357,6 +367,9 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
357 if ((evm_status == INTEGRITY_PASS) || 367 if ((evm_status == INTEGRITY_PASS) ||
358 (evm_status == INTEGRITY_NOXATTRS)) 368 (evm_status == INTEGRITY_NOXATTRS))
359 return 0; 369 return 0;
370 integrity_audit_msg(AUDIT_INTEGRITY_METADATA, dentry->d_inode,
371 dentry->d_name.name, "appraise_metadata",
372 integrity_status_msg[evm_status], -EPERM, 0);
360 return -EPERM; 373 return -EPERM;
361} 374}
362 375
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-11 03:13:09 -0500