2 files changed, 22 insertions, 0 deletions
diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index 0df4f7a2f1e9..d606f3d12d6b 100644
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -30,6 +30,23 @@ config EVM_ATTR_FSUUID
          additional info to the calculation, requires existing EVM
          labeled file systems to be relabeled.
+config EVM_EXTRA_SMACK_XATTRS
+        bool "Additional SMACK xattrs"
+        depends on EVM && SECURITY_SMACK
+        default n
+        help
+          Include additional SMACK xattrs for HMAC calculation.
+          In addition to the original security xattrs (eg. security.selinux,
+          security.SMACK64, security.capability, and security.ima) included
+          in the HMAC calculation, enabling this option includes newly defined
+          Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
+          security.SMACK64MMAP.
+          WARNING: changing the HMAC calculation method or adding
+          additional info to the calculation, requires existing EVM
+          labeled file systems to be relabeled.
 endmenu
 endif
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 1dc09190a948..73baf7168843 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -40,6 +40,11 @@ char *evm_config_xattrnames[] = {
 #endif
 #ifdef CONFIG_SECURITY_SMACK
        XATTR_NAME_SMACK,
+#ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
+        XATTR_NAME_SMACKEXEC,
+        XATTR_NAME_SMACKTRANSMUTE,
+        XATTR_NAME_SMACKMMAP,
+#endif
 #endif
 #ifdef CONFIG_IMA_APPRAISE
        XATTR_NAME_IMA,

diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig index 0df4f7a2f1e9..d606f3d12d6b 100644 --- a/security/integrity/evm/Kconfig +++ b/security/integrity/evm/Kconfig
@@ -30,6 +30,23 @@ config EVM_ATTR_FSUUID
30	additional info to the calculation, requires existing EVM	30	additional info to the calculation, requires existing EVM
31	labeled file systems to be relabeled.	31	labeled file systems to be relabeled.
32		32
		33	config EVM_EXTRA_SMACK_XATTRS
		34	bool "Additional SMACK xattrs"
		35	depends on EVM && SECURITY_SMACK
		36	default n
		37	help
		38	Include additional SMACK xattrs for HMAC calculation.
		39
		40	In addition to the original security xattrs (eg. security.selinux,
		41	security.SMACK64, security.capability, and security.ima) included
		42	in the HMAC calculation, enabling this option includes newly defined
		43	Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
		44	security.SMACK64MMAP.
		45
		46	WARNING: changing the HMAC calculation method or adding
		47	additional info to the calculation, requires existing EVM
		48	labeled file systems to be relabeled.
		49
33	endmenu	50	endmenu
34		51
35	endif	52	endif


diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 1dc09190a948..73baf7168843 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c
@@ -40,6 +40,11 @@ char *evm_config_xattrnames[] = {
40	#endif	40	#endif
41	#ifdef CONFIG_SECURITY_SMACK	41	#ifdef CONFIG_SECURITY_SMACK
42	XATTR_NAME_SMACK,	42	XATTR_NAME_SMACK,
		43	#ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
		44	XATTR_NAME_SMACKEXEC,
		45	XATTR_NAME_SMACKTRANSMUTE,
		46	XATTR_NAME_SMACKMMAP,
		47	#endif
43	#endif	48	#endif
44	#ifdef CONFIG_IMA_APPRAISE	49	#ifdef CONFIG_IMA_APPRAISE
45	XATTR_NAME_IMA,	50	XATTR_NAME_IMA,