projects / GitHub / moto-9609 / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d3b3367)
evm: provide option to protect additional SMACK xattrs
authorDmitry Kasatkin <d.kasatkin@samsung.com>
Fri, 28 Mar 2014 12:31:14 +0000 (14:31 +0200)
committerMimi Zohar <zohar@linux.vnet.ibm.com>
Thu, 12 Jun 2014 21:58:06 +0000 (17:58 -0400)
Newer versions of SMACK introduced following security xattrs:
SMACK64EXEC, SMACK64TRANSMUTE and SMACK64MMAP.

To protect these xattrs, this patch includes them in the HMAC
calculation.  However, for backwards compatibility with existing
labeled filesystems, including these xattrs needs to be
configurable.

Changelog:
- Add SMACK dependency on new option (Mimi)

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
security/integrity/evm/Kconfig patch | blob | blame | history
security/integrity/evm/evm_main.c patch | blob | blame | history

diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index 0df4f7a2f1e9dba7ecfbb3bd5a5fd7532a08ea53..d606f3d12d6bfb8f27d849a3b4fa9fc9ee411875 100644 (file)
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -30,6 +30,23 @@ config EVM_ATTR_FSUUID
          additional info to the calculation, requires existing EVM
          labeled file systems to be relabeled.
 
+config EVM_EXTRA_SMACK_XATTRS
+       bool "Additional SMACK xattrs"
+       depends on EVM && SECURITY_SMACK
+       default n
+       help
+         Include additional SMACK xattrs for HMAC calculation.
+
+         In addition to the original security xattrs (eg. security.selinux,
+         security.SMACK64, security.capability, and security.ima) included
+         in the HMAC calculation, enabling this option includes newly defined
+         Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
+         security.SMACK64MMAP.
+
+         WARNING: changing the HMAC calculation method or adding
+         additional info to the calculation, requires existing EVM
+         labeled file systems to be relabeled.
+
 endmenu
 
 endif
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 1dc09190a94801f5e3268719ebb57c9310ebb8e7..73baf71688431c4903f0acf9eec53136152b0912 100644 (file)
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -40,6 +40,11 @@ char *evm_config_xattrnames[] = {
 #endif
 #ifdef CONFIG_SECURITY_SMACK
        XATTR_NAME_SMACK,
+#ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
+       XATTR_NAME_SMACKEXEC,
+       XATTR_NAME_SMACKTRANSMUTE,
+       XATTR_NAME_SMACKMMAP,
+#endif
 #endif
 #ifdef CONFIG_IMA_APPRAISE
        XATTR_NAME_IMA,