summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--security/integrity/evm/Kconfig17
-rw-r--r--security/integrity/evm/evm_main.c5
2 files changed, 22 insertions, 0 deletions
diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index 0df4f7a2f1e9..d606f3d12d6b 100644
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -30,6 +30,23 @@ config EVM_ATTR_FSUUID
additional info to the calculation, requires existing EVM
labeled file systems to be relabeled.
+config EVM_EXTRA_SMACK_XATTRS
+ bool "Additional SMACK xattrs"
+ depends on EVM && SECURITY_SMACK
+ default n
+ help
+ Include additional SMACK xattrs for HMAC calculation.
+
+ In addition to the original security xattrs (eg. security.selinux,
+ security.SMACK64, security.capability, and security.ima) included
+ in the HMAC calculation, enabling this option includes newly defined
+ Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
+ security.SMACK64MMAP.
+
+ WARNING: changing the HMAC calculation method or adding
+ additional info to the calculation, requires existing EVM
+ labeled file systems to be relabeled.
+
endmenu
endif
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 1dc09190a948..73baf7168843 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -40,6 +40,11 @@ char *evm_config_xattrnames[] = {
#endif
#ifdef CONFIG_SECURITY_SMACK
XATTR_NAME_SMACK,
+#ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
+ XATTR_NAME_SMACKEXEC,
+ XATTR_NAME_SMACKTRANSMUTE,
+ XATTR_NAME_SMACKMMAP,
+#endif
#endif
#ifdef CONFIG_IMA_APPRAISE
XATTR_NAME_IMA,