* [PATCH] EVM: Include security.apparmor in EVM measurements
@ 2017-10-13 22:09 Matthew Garrett
2017-10-13 23:36 ` John Johansen
0 siblings, 1 reply; 3+ messages in thread
From: Matthew Garrett @ 2017-10-13 22:09 UTC (permalink / raw)
To: linux-integrity; +Cc: zohar, john.johansen, Matthew Garrett
Apparmor will be gaining support for security.apparmor labels, and it
would be helpful to include these in EVM validation now so appropriate
signatures can be generated even before full support is merged.
Signed-off-by: Matthew Garrett <mjg59@google.com>
---
include/uapi/linux/xattr.h | 3 +++
security/integrity/evm/evm_main.c | 3 +++
2 files changed, 6 insertions(+)
diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h
index 1590c49cae57..e630b9cd70cb 100644
--- a/include/uapi/linux/xattr.h
+++ b/include/uapi/linux/xattr.h
@@ -65,6 +65,9 @@
#define XATTR_NAME_SMACKTRANSMUTE XATTR_SECURITY_PREFIX XATTR_SMACK_TRANSMUTE
#define XATTR_NAME_SMACKMMAP XATTR_SECURITY_PREFIX XATTR_SMACK_MMAP
+#define XATTR_APPARMOR_SUFFIX "apparmor"
+#define XATTR_NAME_APPARMOR XATTR_SECURITY_PREFIX XATTR_APPARMOR_SUFFIX
+
#define XATTR_CAPS_SUFFIX "capability"
#define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 40bf3a20605d..78a5b1fddfc7 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -49,6 +49,9 @@ char *evm_config_xattrnames[] = {
XATTR_NAME_SMACKMMAP,
#endif
#endif
+#ifdef CONFIG_SECURITY_APPARMOR
+ XATTR_NAME_APPARMOR,
+#endif
#ifdef CONFIG_IMA_APPRAISE
XATTR_NAME_IMA,
#endif
--
2.15.0.rc0.271.g36b669edcc-goog
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] EVM: Include security.apparmor in EVM measurements
2017-10-13 22:09 [PATCH] EVM: Include security.apparmor in EVM measurements Matthew Garrett
@ 2017-10-13 23:36 ` John Johansen
2017-10-15 14:28 ` Mimi Zohar
0 siblings, 1 reply; 3+ messages in thread
From: John Johansen @ 2017-10-13 23:36 UTC (permalink / raw)
To: Matthew Garrett, linux-integrity; +Cc: zohar
On 10/13/2017 03:09 PM, Matthew Garrett wrote:
> Apparmor will be gaining support for security.apparmor labels, and it
> would be helpful to include these in EVM validation now so appropriate
> signatures can be generated even before full support is merged.
>
> Signed-off-by: Matthew Garrett <mjg59@google.com>
Acked-by: John Johansen <John.johansen@canonical.com>
> ---
> include/uapi/linux/xattr.h | 3 +++
> security/integrity/evm/evm_main.c | 3 +++
> 2 files changed, 6 insertions(+)
>
> diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h
> index 1590c49cae57..e630b9cd70cb 100644
> --- a/include/uapi/linux/xattr.h
> +++ b/include/uapi/linux/xattr.h
> @@ -65,6 +65,9 @@
> #define XATTR_NAME_SMACKTRANSMUTE XATTR_SECURITY_PREFIX XATTR_SMACK_TRANSMUTE
> #define XATTR_NAME_SMACKMMAP XATTR_SECURITY_PREFIX XATTR_SMACK_MMAP
>
> +#define XATTR_APPARMOR_SUFFIX "apparmor"
> +#define XATTR_NAME_APPARMOR XATTR_SECURITY_PREFIX XATTR_APPARMOR_SUFFIX
> +
> #define XATTR_CAPS_SUFFIX "capability"
> #define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
>
> diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
> index 40bf3a20605d..78a5b1fddfc7 100644
> --- a/security/integrity/evm/evm_main.c
> +++ b/security/integrity/evm/evm_main.c
> @@ -49,6 +49,9 @@ char *evm_config_xattrnames[] = {
> XATTR_NAME_SMACKMMAP,
> #endif
> #endif
> +#ifdef CONFIG_SECURITY_APPARMOR
> + XATTR_NAME_APPARMOR,
> +#endif
> #ifdef CONFIG_IMA_APPRAISE
> XATTR_NAME_IMA,
> #endif
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] EVM: Include security.apparmor in EVM measurements
2017-10-13 23:36 ` John Johansen
@ 2017-10-15 14:28 ` Mimi Zohar
0 siblings, 0 replies; 3+ messages in thread
From: Mimi Zohar @ 2017-10-15 14:28 UTC (permalink / raw)
To: John Johansen, Matthew Garrett, linux-integrity
On Fri, 2017-10-13 at 16:36 -0700, John Johansen wrote:
> On 10/13/2017 03:09 PM, Matthew Garrett wrote:
> > Apparmor will be gaining support for security.apparmor labels, and it
> > would be helpful to include these in EVM validation now so appropriate
> > signatures can be generated even before full support is merged.
> >
> > Signed-off-by: Matthew Garrett <mjg59@google.com>
> Acked-by: John Johansen <John.johansen@canonical.com>
Thanks!
>
> > ---
> > include/uapi/linux/xattr.h | 3 +++
> > security/integrity/evm/evm_main.c | 3 +++
> > 2 files changed, 6 insertions(+)
> >
> > diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h
> > index 1590c49cae57..e630b9cd70cb 100644
> > --- a/include/uapi/linux/xattr.h
> > +++ b/include/uapi/linux/xattr.h
> > @@ -65,6 +65,9 @@
> > #define XATTR_NAME_SMACKTRANSMUTE XATTR_SECURITY_PREFIX XATTR_SMACK_TRANSMUTE
> > #define XATTR_NAME_SMACKMMAP XATTR_SECURITY_PREFIX XATTR_SMACK_MMAP
> >
> > +#define XATTR_APPARMOR_SUFFIX "apparmor"
> > +#define XATTR_NAME_APPARMOR XATTR_SECURITY_PREFIX XATTR_APPARMOR_SUFFIX
> > +
> > #define XATTR_CAPS_SUFFIX "capability"
> > #define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
> >
> > diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
> > index 40bf3a20605d..78a5b1fddfc7 100644
> > --- a/security/integrity/evm/evm_main.c
> > +++ b/security/integrity/evm/evm_main.c
> > @@ -49,6 +49,9 @@ char *evm_config_xattrnames[] = {
> > XATTR_NAME_SMACKMMAP,
> > #endif
> > #endif
> > +#ifdef CONFIG_SECURITY_APPARMOR
> > + XATTR_NAME_APPARMOR,
> > +#endif
> > #ifdef CONFIG_IMA_APPRAISE
> > XATTR_NAME_IMA,
> > #endif
> >
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-10-15 14:28 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-10-13 22:09 [PATCH] EVM: Include security.apparmor in EVM measurements Matthew Garrett
2017-10-13 23:36 ` John Johansen
2017-10-15 14:28 ` Mimi Zohar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).