evm: replace HMAC version with attribute mask

Using HMAC version limits the posibility to arbitrarily add new attributes such as SMACK64EXEC to the hmac calculation. This patch replaces hmac version with attribute mask. Desired attributes can be enabled with configuration parameter. It allows to build kernels which works with previously labeled filesystems. Currently supported attribute is 'fsuuid' which is equivalent of the former version 2. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

evm: replace HMAC version with attribute mask
Using HMAC version limits the posibility to arbitrarily add new attributes such as SMACK64EXEC to the hmac calculation. This patch replaces hmac version with attribute mask. Desired attributes can be enabled with configuration parameter. It allows to build kernels which works with previously labeled filesystems. Currently supported attribute is 'fsuuid' which is equivalent of the former version 2. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
d3b33679 · Dmitry Kasatkin · Mimi Zohar · 060bdebf · d3b33679 · d3b33679
Commit d3b33679 authored Mar 28, 2014 by Dmitry Kasatkin Committed by Mimi Zohar Jun 12, 2014
4 changed files
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -12,15 +12,24 @@ config EVM
 	  If you are unsure how to answer this question, answer N.
-config EVM_HMAC_VERSION
+if EVM
-	int "EVM HMAC version"
+menu "EVM options"
+config EVM_ATTR_FSUUID
+	bool "FSUUID (version 2)"
+	default y
 	depends on EVM
-	default 2
 	help
-	  This options adds EVM HMAC version support.
+	  Include filesystem UUID for HMAC calculation.
-	  1 - original version
-	  2 - add per filesystem unique identifier (UUID) (default)
+	  Default value is 'selected', which is former version 2.
+	  if 'not selected', it is former version 1
-	  WARNING: changing the HMAC calculation method or adding 
+	  WARNING: changing the HMAC calculation method or adding
 	  additional info to the calculation, requires existing EVM
-	  labeled file systems to be relabeled.  
+	  labeled file systems to be relabeled.
+endmenu
+endif
--- a/security/integrity/evm/evm.h
+++ b/security/integrity/evm/evm.h
@@ -24,7 +24,10 @@
 extern int evm_initialized;
 extern char *evm_hmac;
 extern char *evm_hash;
-extern int evm_hmac_version;
+#define EVM_ATTR_FSUUID		0x0001
+extern int evm_hmac_attrs;
 extern struct crypto_shash *hmac_tfm;
 extern struct crypto_shash *hash_tfm;

--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -112,7 +112,7 @@ static void hmac_add_misc(struct shash_desc *desc, struct inode *inode,
 	hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid);
 	hmac_misc.mode = inode->i_mode;
 	crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof(hmac_misc));
-	if (evm_hmac_version > 1)
+	if (evm_hmac_attrs & EVM_ATTR_FSUUID)
 		crypto_shash_update(desc, inode->i_sb->s_uuid,
 				    sizeof(inode->i_sb->s_uuid));
 	crypto_shash_final(desc, digest);

--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -32,7 +32,7 @@ static char *integrity_status_msg[] = {
 };
 char *evm_hmac = "hmac(sha1)";
 char *evm_hash = "sha1";
-int evm_hmac_version = CONFIG_EVM_HMAC_VERSION;
+int evm_hmac_attrs;
 char *evm_config_xattrnames[] = {
 #ifdef CONFIG_SECURITY_SELINUX
@@ -57,6 +57,14 @@ static int __init evm_set_fixmode(char *str)
 }
 __setup("evm=", evm_set_fixmode);
+static void __init evm_init_config(void)
+{
+#ifdef CONFIG_EVM_ATTR_FSUUID
+	evm_hmac_attrs |= EVM_ATTR_FSUUID;
+#endif
+	pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
+}
 static int evm_find_protected_xattrs(struct dentry *dentry)
 {
 	struct inode *inode = dentry->d_inode;
@@ -432,6 +440,8 @@ static int __init init_evm(void)
 {
 	int error;
+	evm_init_config();
 	error = evm_init_secfs();
 	if (error < 0) {
 		pr_info("Error registering secfs\n");