首页 发现 帮助
注册 登录
phyus
/
linux-vybrid_public
8
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

evm: add support for different security.evm data types

EVM protects a file's security extended attributes(xattrs) against integrity
attacks. The current patchset maintains an HMAC-sha1 value across the security
xattrs, storing the value as the extended attribute 'security.evm'. We
anticipate other methods for protecting the security extended attributes.
This patch reserves the first byte of 'security.evm' as a place holder for
the type of method.

Changelog v6:
- move evm_ima_xattr_type definition to security/integrity/integrity.h
- defined a structure for the EVM xattr called evm_ima_xattr_data
  (based on Serge Hallyn's suggestion)
- removed unnecessary memset

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@nokia.com>
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Dmitry Kasatkin 14 年之前
父节点
66dbc325af
当前提交
6be5cc5246
共有 4 个文件被更改,包括 24 次插入9 次删除
合并视图 显示文件统计
  1. 1 0
      include/linux/integrity.h
  2. 7 4
      security/integrity/evm/evm_crypto.c
  3. 5 5
      security/integrity/evm/evm_main.c
  4. 11 0
      security/integrity/integrity.h

+ 1 - 0
include/linux/integrity.h
查看文件 

@@ -19,6 +19,7 @@ enum integrity_status {
 
 	INTEGRITY_UNKNOWN,
 
 	INTEGRITY_UNKNOWN,
 
 };
 
 };
 
 
 
+/* List of EVM protected security xattrs */
 
 #ifdef CONFIG_INTEGRITY
 
 #ifdef CONFIG_INTEGRITY
 
 extern int integrity_inode_alloc(struct inode *inode);
 
 extern int integrity_inode_alloc(struct inode *inode);
 
 extern void integrity_inode_free(struct inode *inode);
 
 extern void integrity_inode_free(struct inode *inode);

+ 7 - 4
security/integrity/evm/evm_crypto.c
查看文件 

@@ -141,14 +141,17 @@ int evm_update_evmxattr(struct dentry *dentry, const char *xattr_name,
 
 			const char *xattr_value, size_t xattr_value_len)
 
 			const char *xattr_value, size_t xattr_value_len)
 
 {
 
 {
 
 	struct inode *inode = dentry->d_inode;
 
 	struct inode *inode = dentry->d_inode;
 
-	u8 hmac[SHA1_DIGEST_SIZE];
 
+	struct evm_ima_xattr_data xattr_data;
 
 	int rc = 0;
 
 	int rc = 0;
 
 
 
 	rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
 
 	rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
 
-			   xattr_value_len, hmac);
 
-	if (rc == 0)
 
+			   xattr_value_len, xattr_data.digest);
 
+	if (rc == 0) {
 
+		xattr_data.type = EVM_XATTR_HMAC;
 
 		rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_EVM,
 
 		rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_EVM,
 
-					   hmac, SHA1_DIGEST_SIZE, 0);
 
+					   &xattr_data,
 
+					   sizeof(xattr_data), 0);
 
+	}
 
 	else if (rc == -ENODATA)
 
 	else if (rc == -ENODATA)
 
 		rc = inode->i_op->removexattr(dentry, XATTR_NAME_EVM);
 
 		rc = inode->i_op->removexattr(dentry, XATTR_NAME_EVM);
 
 	return rc;
 
 	return rc;

+ 5 - 5
security/integrity/evm/evm_main.c
查看文件 

@@ -51,20 +51,20 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
 
 					     size_t xattr_value_len,
 
 					     size_t xattr_value_len,
 
 					     struct integrity_iint_cache *iint)
 
 					     struct integrity_iint_cache *iint)
 
 {
 
 {
 
-	char hmac_val[SHA1_DIGEST_SIZE];
 
+	struct evm_ima_xattr_data xattr_data;
 
 	int rc;
 
 	int rc;
 
 
 
 	if (iint->hmac_status != INTEGRITY_UNKNOWN)
 
 	if (iint->hmac_status != INTEGRITY_UNKNOWN)
 
 		return iint->hmac_status;
 
 		return iint->hmac_status;
 
 
 
-	memset(hmac_val, 0, sizeof hmac_val);
 
 	rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
 
 	rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
 
-			   xattr_value_len, hmac_val);
 
+			   xattr_value_len, xattr_data.digest);
 
 	if (rc < 0)
 
 	if (rc < 0)
 
 		return INTEGRITY_UNKNOWN;
 
 		return INTEGRITY_UNKNOWN;
 
 
 
-	rc = vfs_xattr_cmp(dentry, XATTR_NAME_EVM, hmac_val, sizeof hmac_val,
 
-			   GFP_NOFS);
 
+	xattr_data.type = EVM_XATTR_HMAC;
 
+	rc = vfs_xattr_cmp(dentry, XATTR_NAME_EVM, (u8 *)&xattr_data,
 
+			   sizeof xattr_data, GFP_NOFS);
 
 	if (rc < 0)
 
 	if (rc < 0)
 
 		goto err_out;
 
 		goto err_out;
 
 	iint->hmac_status = INTEGRITY_PASS;
 
 	iint->hmac_status = INTEGRITY_PASS;

+ 11 - 0
security/integrity/integrity.h
查看文件 

@@ -18,6 +18,17 @@
 
 /* iint cache flags */
 
 /* iint cache flags */
 
 #define IMA_MEASURED		0x01
 
 #define IMA_MEASURED		0x01
 
 
 
+enum evm_ima_xattr_type {
 
+	IMA_XATTR_DIGEST = 0x01,
 
+	EVM_XATTR_HMAC,
 
+	EVM_IMA_XATTR_DIGSIG,
 
+};
 
+
 
+struct evm_ima_xattr_data {
 
+	u8 type;
 
+	u8 digest[SHA1_DIGEST_SIZE];
 
+}  __attribute__((packed));
 
+
 
 /* integrity data associated with an inode */
 
 /* integrity data associated with an inode */
 
 struct integrity_iint_cache {
 
 struct integrity_iint_cache {
 
 	struct rb_node rb_node; /* rooted in integrity_iint_tree */
 
 	struct rb_node rb_node; /* rooted in integrity_iint_tree */