Re: [PATCH] EVM: Include security.apparmor in EVM measurements

John Johansen <john.johansen@xxxxxxxxxxxxx> · Fri, 13 Oct 2017 16:36:13 -0700



On 10/13/2017 03:09 PM, Matthew Garrett wrote:
> Apparmor will be gaining support for security.apparmor labels, and it
> would be helpful to include these in EVM validation now so appropriate
> signatures can be generated even before full support is merged.
> 
> Signed-off-by: Matthew Garrett <mjg59@xxxxxxxxxx>
Acked-by: John Johansen <John.johansen@xxxxxxxxxxxxx>


> ---
>  include/uapi/linux/xattr.h        | 3 +++
>  security/integrity/evm/evm_main.c | 3 +++
>  2 files changed, 6 insertions(+)
> 
> diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h
> index 1590c49cae57..e630b9cd70cb 100644
> --- a/include/uapi/linux/xattr.h
> +++ b/include/uapi/linux/xattr.h
> @@ -65,6 +65,9 @@
>  #define XATTR_NAME_SMACKTRANSMUTE XATTR_SECURITY_PREFIX XATTR_SMACK_TRANSMUTE
>  #define XATTR_NAME_SMACKMMAP XATTR_SECURITY_PREFIX XATTR_SMACK_MMAP
>  
> +#define XATTR_APPARMOR_SUFFIX "apparmor"
> +#define XATTR_NAME_APPARMOR XATTR_SECURITY_PREFIX XATTR_APPARMOR_SUFFIX
> +
>  #define XATTR_CAPS_SUFFIX "capability"
>  #define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
>  
> diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
> index 40bf3a20605d..78a5b1fddfc7 100644
> --- a/security/integrity/evm/evm_main.c
> +++ b/security/integrity/evm/evm_main.c
> @@ -49,6 +49,9 @@ char *evm_config_xattrnames[] = {
>  	XATTR_NAME_SMACKMMAP,
>  #endif
>  #endif
> +#ifdef CONFIG_SECURITY_APPARMOR
> +	XATTR_NAME_APPARMOR,
> +#endif
>  #ifdef CONFIG_IMA_APPRAISE
>  	XATTR_NAME_IMA,
>  #endif
>