[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-id: <fa83f8d28e068d4cd1625d231302f6cad376ddc2.1393599538.git.d.kasatkin@samsung.com>
Date: Fri, 28 Feb 2014 16:59:31 +0200
From: Dmitry Kasatkin <d.kasatkin@...sung.com>
To: linux-security-module@...r.kernel.org, zohar@...ux.vnet.ibm.com
Cc: jmorris@...ei.org, linux-kernel@...r.kernel.org,
casey.schaufler@...el.com, dmitry.kasatkin@...il.com,
Dmitry Kasatkin <d.kasatkin@...sung.com>
Subject: [PATCH 7/8] evm: introduce EVM hmac attribute list
This patch replaces using of hmac version configuration parameter
with attribute list. It allows to build kernels which works with
previously labeled filesystems.
Currently supported attribute is 'fsuuid' which is equivalent of
former version 2.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@...sung.com>
---
security/integrity/evm/Kconfig | 19 ++++++++++---------
security/integrity/evm/evm.h | 4 +++-
security/integrity/evm/evm_crypto.c | 2 +-
security/integrity/evm/evm_main.c | 21 ++++++++++++++++++++-
4 files changed, 34 insertions(+), 12 deletions(-)
diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index d35b491..2be51fa 100644
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -12,15 +12,16 @@ config EVM
If you are unsure how to answer this question, answer N.
-config EVM_HMAC_VERSION
- int "EVM HMAC version"
- depends on EVM
- default 2
- help
- This options adds EVM HMAC version support.
- 1 - original version
- 2 - add per filesystem unique identifier (UUID) (default)
+config EVM_HMAC_ATTRS
+ string "HMAC attributes"
+ default "fsuuid"
+ help
+ This options allows to specify list of optional attributes included into HMAC
+ calculation. It makes it possible easily upgrade to newer kernels.
+
+ Default value is 'fsuuid', which is former version 2.
+ if blank, it is equivalent of version 1
WARNING: changing the HMAC calculation method or adding
additional info to the calculation, requires existing EVM
- labeled file systems to be relabeled.
+ labeled file systems to be relabeled.
diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
index 37c88dd..c8fa0aa 100644
--- a/security/integrity/evm/evm.h
+++ b/security/integrity/evm/evm.h
@@ -24,11 +24,13 @@
extern int evm_initialized;
extern char *evm_hmac;
extern char *evm_hash;
-extern int evm_hmac_version;
+extern int evm_hmac_attrs;
extern struct crypto_shash *hmac_tfm;
extern struct crypto_shash *hash_tfm;
+#define EVM_HMAC_ATTR_FSUUID 0x0001
+
/* List of EVM protected security xattrs */
extern char *evm_config_xattrnames[];
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index babd862..ab034e5 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -112,7 +112,7 @@ static void hmac_add_misc(struct shash_desc *desc, struct inode *inode,
hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid);
hmac_misc.mode = inode->i_mode;
crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof(hmac_misc));
- if (evm_hmac_version > 1)
+ if (evm_hmac_attrs & EVM_HMAC_ATTR_FSUUID)
crypto_shash_update(desc, inode->i_sb->s_uuid,
sizeof(inode->i_sb->s_uuid));
crypto_shash_final(desc, digest);
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 996092f..9c05929 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -32,7 +32,7 @@ static char *integrity_status_msg[] = {
};
char *evm_hmac = "hmac(sha1)";
char *evm_hash = "sha1";
-int evm_hmac_version = CONFIG_EVM_HMAC_VERSION;
+int evm_hmac_attrs;
char *evm_config_xattrnames[] = {
#ifdef CONFIG_SECURITY_SELINUX
@@ -57,6 +57,19 @@ static int __init evm_set_fixmode(char *str)
}
__setup("evm=", evm_set_fixmode);
+static int __init evm_init_config(void)
+{
+ char *attrs = CONFIG_EVM_HMAC_ATTRS;
+ char *p;
+
+ while ((p = strsep(&attrs, ", \t"))) {
+ if (!strcmp(p, "fsuuid"))
+ evm_hmac_attrs |= EVM_HMAC_ATTR_FSUUID;
+ }
+ pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
+ return 0;
+}
+
static int evm_find_protected_xattrs(struct dentry *dentry)
{
struct inode *inode = dentry->d_inode;
@@ -432,6 +445,12 @@ static int __init init_evm(void)
{
int error;
+ error = evm_init_config();
+ if (error < 0) {
+ pr_info("Error parsing config lists\n");
+ goto err;
+ }
+
error = evm_init_secfs();
if (error < 0) {
pr_info("Error registering secfs\n");
--
1.8.3.2
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists