Skip to content

Commit

Permalink
security: imbed evm calls in security hooks
Browse files Browse the repository at this point in the history
Imbed the evm calls evm_inode_setxattr(), evm_inode_post_setxattr(),
evm_inode_removexattr() in the security hooks.  evm_inode_setxattr()
protects security.evm xattr.  evm_inode_post_setxattr() and
evm_inode_removexattr() updates the hmac associated with an inode.

(Assumes an LSM module protects the setting/removing of xattr.)

Changelog:
  - Don't define evm_verifyxattr(), unless CONFIG_INTEGRITY is enabled.
  - xattr_name is a 'const', value is 'void *'

Signed-off-by: Mimi Zohar <[email protected]>
Acked-by: Serge Hallyn <[email protected]>
Mimi Zohar committed Jul 18, 2011
1 parent 6be5cc5 commit 3e1be52
Showing 3 changed files with 71 additions and 2 deletions.
56 changes: 56 additions & 0 deletions include/linux/evm.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
/*
* evm.h
*
* Copyright (c) 2009 IBM Corporation
* Author: Mimi Zohar <[email protected]>
*/

#ifndef _LINUX_EVM_H
#define _LINUX_EVM_H

#include <linux/integrity.h>

#ifdef CONFIG_EVM
extern enum integrity_status evm_verifyxattr(struct dentry *dentry,
const char *xattr_name,
void *xattr_value,
size_t xattr_value_len);
extern int evm_inode_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size);
extern void evm_inode_post_setxattr(struct dentry *dentry,
const char *xattr_name,
const void *xattr_value,
size_t xattr_value_len);
extern int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name);
#else
#ifdef CONFIG_INTEGRITY
static inline enum integrity_status evm_verifyxattr(struct dentry *dentry,
const char *xattr_name,
void *xattr_value,
size_t xattr_value_len)
{
return INTEGRITY_UNKNOWN;
}
#endif

static inline int evm_inode_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size)
{
return 0;
}

static inline void evm_inode_post_setxattr(struct dentry *dentry,
const char *xattr_name,
const void *xattr_value,
size_t xattr_value_len)
{
return;
}

static inline int evm_inode_removexattr(struct dentry *dentry,
const char *xattr_name)
{
return 0;
}
#endif /* CONFIG_EVM_H */
#endif /* LINUX_EVM_H */
1 change: 1 addition & 0 deletions security/integrity/evm/evm_main.c
Original file line number Diff line number Diff line change
@@ -18,6 +18,7 @@
#include <linux/crypto.h>
#include <linux/xattr.h>
#include <linux/integrity.h>
#include <linux/evm.h>
#include "evm.h"

int evm_initialized;
16 changes: 14 additions & 2 deletions security/security.c
Original file line number Diff line number Diff line change
@@ -18,6 +18,7 @@
#include <linux/security.h>
#include <linux/integrity.h>
#include <linux/ima.h>
#include <linux/evm.h>

#define MAX_LSM_XATTR 1

@@ -580,9 +581,14 @@ int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
int security_inode_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags)
{
int ret;

if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
return security_ops->inode_setxattr(dentry, name, value, size, flags);
ret = security_ops->inode_setxattr(dentry, name, value, size, flags);
if (ret)
return ret;
return evm_inode_setxattr(dentry, name, value, size);
}

void security_inode_post_setxattr(struct dentry *dentry, const char *name,
@@ -591,6 +597,7 @@ void security_inode_post_setxattr(struct dentry *dentry, const char *name,
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return;
security_ops->inode_post_setxattr(dentry, name, value, size, flags);
evm_inode_post_setxattr(dentry, name, value, size);
}

int security_inode_getxattr(struct dentry *dentry, const char *name)
@@ -609,9 +616,14 @@ int security_inode_listxattr(struct dentry *dentry)

int security_inode_removexattr(struct dentry *dentry, const char *name)
{
int ret;

if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
return security_ops->inode_removexattr(dentry, name);
ret = security_ops->inode_removexattr(dentry, name);
if (ret)
return ret;
return evm_inode_removexattr(dentry, name);
}

int security_inode_need_killpriv(struct dentry *dentry)

0 comments on commit 3e1be52

Please sign in to comment.