diff options
| author | Mimi Zohar <[email protected]> | 2021-06-03 10:12:36 -0400 |
|---|---|---|
| committer | Mimi Zohar <[email protected]> | 2021-06-03 10:12:36 -0400 |
| commit | dc0983f2f9b6a9a9abe575a7ae15f873da694887 (patch) | |
| tree | 8310bbf6e53319a037ced2757fa30d4243338536 /include/linux | |
| parent | 5a25d8ceb8611c06797b74e22d04af2b9fefd130 (diff) | |
| parent | d721c15fd519c08819fbc6de39b713e2ed1d9894 (diff) | |
Merge branch 'verify-evm-portable-sig-v2' into next-integrity
From the cover letter:
The recent patch set 'evm: Improve usability of portable signatures' added
the possibility to include EVM portable signatures in the IMA measurement
list.
However, the information necessary to verify the signature were not
included in the IMA measurement list. This patch set introduces new
template fields to accomplish this goal:
- 'iuid': the inode UID;
- 'igid': the inode GID;
- 'imode': the inode mode;
- 'xattrnames': a list of xattr names (separated by |), only if the xattr is
present;
- 'xattrlengths': a list of xattr lengths (u32), only if the xattr is present;
- 'xattrvalues': a list of xattr values;
Patch 1 adds an helper function to show integers in the measurement list.
Patches 2, 3 and 5 introduce new template fields. Patch 4 make it possible
to verify EVM portable signatures which protect xattrs belonging to LSMs
not enabled in the target platform. Patch 6 introduces the new IMA template
evm-sig. Patch 7 fixes a small issue in evm_write_xattrs() when audit is
not enabled.
Link: https://lore.kernel.org/linux-integrity/[email protected]/
Diffstat (limited to 'include/linux')
| -rw-r--r-- | include/linux/evm.h | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/include/linux/evm.h b/include/linux/evm.h index 31ef1dbbb3ac..4c374be70247 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -38,6 +38,10 @@ extern int evm_inode_init_security(struct inode *inode, const struct xattr *xattr_array, struct xattr *evm); extern bool evm_revalidate_status(const char *xattr_name); +extern int evm_protected_xattr_if_enabled(const char *req_xattr_name); +extern int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer, + int buffer_size, char type, + bool canonical_fmt); #ifdef CONFIG_FS_POSIX_ACL extern int posix_xattr_acl(const char *xattrname); #else @@ -114,5 +118,17 @@ static inline bool evm_revalidate_status(const char *xattr_name) return false; } +static inline int evm_protected_xattr_if_enabled(const char *req_xattr_name) +{ + return false; +} + +static inline int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer, + int buffer_size, char type, + bool canonical_fmt) +{ + return -EOPNOTSUPP; +} + #endif /* CONFIG_EVM */ #endif /* LINUX_EVM_H */ |