summaryrefslogtreecommitdiff
path: root/security/integrity/evm/evm_main.c
diff options
context:
space:
mode:
authorDmitry Kasatkin <d.kasatkin@samsung.com>2014-03-28 14:31:04 +0200
committerMimi Zohar <zohar@linux.vnet.ibm.com>2014-06-12 17:58:06 -0400
commitd3b33679481d52ef02311119d4342a9a1f3d84db (patch)
tree5e23d255b52239a4d478dc8b56e49871a4b732c4 /security/integrity/evm/evm_main.c
parent060bdebfb0b82751be89c0ce4b6e2c88606a354b (diff)
downloadlwn-d3b33679481d52ef02311119d4342a9a1f3d84db.tar.gz
lwn-d3b33679481d52ef02311119d4342a9a1f3d84db.zip
evm: replace HMAC version with attribute mask
Using HMAC version limits the posibility to arbitrarily add new attributes such as SMACK64EXEC to the hmac calculation. This patch replaces hmac version with attribute mask. Desired attributes can be enabled with configuration parameter. It allows to build kernels which works with previously labeled filesystems. Currently supported attribute is 'fsuuid' which is equivalent of the former version 2. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity/evm/evm_main.c')
-rw-r--r--security/integrity/evm/evm_main.c12
1 files changed, 11 insertions, 1 deletions
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 6e0bd933b6a9..1dc09190a948 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -32,7 +32,7 @@ static char *integrity_status_msg[] = {
};
char *evm_hmac = "hmac(sha1)";
char *evm_hash = "sha1";
-int evm_hmac_version = CONFIG_EVM_HMAC_VERSION;
+int evm_hmac_attrs;
char *evm_config_xattrnames[] = {
#ifdef CONFIG_SECURITY_SELINUX
@@ -57,6 +57,14 @@ static int __init evm_set_fixmode(char *str)
}
__setup("evm=", evm_set_fixmode);
+static void __init evm_init_config(void)
+{
+#ifdef CONFIG_EVM_ATTR_FSUUID
+ evm_hmac_attrs |= EVM_ATTR_FSUUID;
+#endif
+ pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
+}
+
static int evm_find_protected_xattrs(struct dentry *dentry)
{
struct inode *inode = dentry->d_inode;
@@ -432,6 +440,8 @@ static int __init init_evm(void)
{
int error;
+ evm_init_config();
+
error = evm_init_secfs();
if (error < 0) {
pr_info("Error registering secfs\n");