diff options
author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2011-03-09 14:38:26 -0500 |
---|---|---|
committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2011-07-18 12:29:42 -0400 |
commit | 3e1be52d6c6b21d9080dd886c0e609e009831562 (patch) | |
tree | 2947250698b89eed0149af2d69a33b303c4d6be4 /include/linux/evm.h | |
parent | 6be5cc5246f807fd8ede9f5f1bb2826f2c598658 (diff) | |
download | talos-op-linux-3e1be52d6c6b21d9080dd886c0e609e009831562.tar.gz talos-op-linux-3e1be52d6c6b21d9080dd886c0e609e009831562.zip |
security: imbed evm calls in security hooks
Imbed the evm calls evm_inode_setxattr(), evm_inode_post_setxattr(),
evm_inode_removexattr() in the security hooks. evm_inode_setxattr()
protects security.evm xattr. evm_inode_post_setxattr() and
evm_inode_removexattr() updates the hmac associated with an inode.
(Assumes an LSM module protects the setting/removing of xattr.)
Changelog:
- Don't define evm_verifyxattr(), unless CONFIG_INTEGRITY is enabled.
- xattr_name is a 'const', value is 'void *'
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Diffstat (limited to 'include/linux/evm.h')
-rw-r--r-- | include/linux/evm.h | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/include/linux/evm.h b/include/linux/evm.h new file mode 100644 index 000000000000..8b4e9e3b395e --- /dev/null +++ b/include/linux/evm.h @@ -0,0 +1,56 @@ +/* + * evm.h + * + * Copyright (c) 2009 IBM Corporation + * Author: Mimi Zohar <zohar@us.ibm.com> + */ + +#ifndef _LINUX_EVM_H +#define _LINUX_EVM_H + +#include <linux/integrity.h> + +#ifdef CONFIG_EVM +extern enum integrity_status evm_verifyxattr(struct dentry *dentry, + const char *xattr_name, + void *xattr_value, + size_t xattr_value_len); +extern int evm_inode_setxattr(struct dentry *dentry, const char *name, + const void *value, size_t size); +extern void evm_inode_post_setxattr(struct dentry *dentry, + const char *xattr_name, + const void *xattr_value, + size_t xattr_value_len); +extern int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name); +#else +#ifdef CONFIG_INTEGRITY +static inline enum integrity_status evm_verifyxattr(struct dentry *dentry, + const char *xattr_name, + void *xattr_value, + size_t xattr_value_len) +{ + return INTEGRITY_UNKNOWN; +} +#endif + +static inline int evm_inode_setxattr(struct dentry *dentry, const char *name, + const void *value, size_t size) +{ + return 0; +} + +static inline void evm_inode_post_setxattr(struct dentry *dentry, + const char *xattr_name, + const void *xattr_value, + size_t xattr_value_len) +{ + return; +} + +static inline int evm_inode_removexattr(struct dentry *dentry, + const char *xattr_name) +{ + return 0; +} +#endif /* CONFIG_EVM_H */ +#endif /* LINUX_EVM_H */ |