Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v3.2 2011-09-14T19:24:51Z 2011-09-14T19:24:51Z Mimi Zohar zohar@linux.vnet.ibm.com 2011-08-18T22:07:44Z urn:sha1:bf6d0f5dcda17df3cc5577e203d0f8ea1c2ad6aa The posix xattr acls are 'system' prefixed, which normally would not affect security.evm. An interesting side affect of writing posix xattr acls is their modifying of the i_mode, which is included in security.evm. This patch updates security.evm when posix xattr acls are written. Signed-off-by: Mimi Zohar <zohar@us.ibm.com> 2011-08-11T07:42:41Z Mimi Zohar zohar@linux.vnet.ibm.com 2011-08-11T04:22:52Z urn:sha1:5a4730ba9517cf2793175991243436a24b1db18f evm_inode_init_security() should return 0, when EVM is not enabled. (Returning an error is a remnant of evm_inode_post_init_security.) Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org> 2011-08-11T07:42:07Z Mimi Zohar zohar@linux.vnet.ibm.com 2011-08-11T04:22:51Z urn:sha1:e1c9b23adbe86c725738402857397d7a29f9d6ef - Missing 'inline' on evm_inode_setattr() definition. Introduced by commit 817b54aa45db ("evm: add evm_inode_setattr to prevent updating an invalid security.evm"). - Missing security_old_inode_init_security() stub function definition. Caused by commit 9d8f13ba3f48 ("security: new security_inode_init_security API adds function callback"). Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org> 2011-07-18T16:29:50Z Mimi Zohar zohar@linux.vnet.ibm.com 2011-05-13T16:53:38Z urn:sha1:817b54aa45db03437c6d09a7693fc6926eb8e822 Permit changing of security.evm only when valid, unless in fixmode. Reported-by: Roberto Sassu <roberto.sassu@polito.it> Signed-off-by: Mimi Zohar <zohar@us.ibm.com> 2011-07-18T16:29:47Z Dmitry Kasatkin dmitry.kasatkin@nokia.com 2011-05-06T08:34:13Z urn:sha1:2960e6cb5f7c662b8edb6b0d2edc72095b4f5672 Additional iint parameter allows to skip lookup in the cache. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@nokia.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2011-07-18T16:29:45Z Mimi Zohar zohar@linux.vnet.ibm.com 2011-03-09T19:40:44Z urn:sha1:cb72318069d5e92eb74840118732c66eb38c812f Initialize 'security.evm' for new files. Changelog v7: - renamed evm_inode_post_init_security to evm_inode_init_security - moved struct xattr definition to earlier patch - allocate xattr name Changelog v6: - Use 'struct evm_ima_xattr_data' Signed-off-by: Mimi Zohar <zohar@us.ibm.com> 2011-07-18T16:29:44Z Mimi Zohar zohar@linux.vnet.ibm.com 2011-03-09T19:39:57Z urn:sha1:975d294373d8c1c913ad2bf4eb93966d4c7ca38f Changing the inode's metadata may require the 'security.evm' extended attribute to be re-calculated and updated. Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com> 2011-07-18T16:29:43Z Mimi Zohar zohar@linux.vnet.ibm.com 2011-03-09T19:39:18Z urn:sha1:c7b87de23b6fd5dfbe5c36601f29d6c515056343 When an EVM protected extended attribute is removed, update 'security.evm'. Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com> 2011-07-18T16:29:42Z Mimi Zohar zohar@linux.vnet.ibm.com 2011-03-09T19:38:26Z urn:sha1:3e1be52d6c6b21d9080dd886c0e609e009831562 Imbed the evm calls evm_inode_setxattr(), evm_inode_post_setxattr(), evm_inode_removexattr() in the security hooks. evm_inode_setxattr() protects security.evm xattr. evm_inode_post_setxattr() and evm_inode_removexattr() updates the hmac associated with an inode. (Assumes an LSM module protects the setting/removing of xattr.) Changelog: - Don't define evm_verifyxattr(), unless CONFIG_INTEGRITY is enabled. - xattr_name is a 'const', value is 'void *' Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>