EVM: Include security.apparmor in EVM measurements

Apparmor will be gaining support for security.apparmor labels, and it would be helpful to include these in EVM validation now so appropriate signatures can be generated even before full support is merged. Signed-off-by: Matthew Garrett <mjg59@google.com> Acked-by: John Johansen <John.johansen@canonical.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2017-10-13 15:09:25 -07:00 · 2017-10-13 15:09:25 -07:00 · 096b854648
parent bb02b186d0
commit 096b854648
2 changed files with 6 additions and 0 deletions
--- a/include/uapi/linux/xattr.h
+++ b/include/uapi/linux/xattr.h
@ -65,6 +65,9 @@
 #define XATTR_NAME_SMACKTRANSMUTE XATTR_SECURITY_PREFIX XATTR_SMACK_TRANSMUTE
 #define XATTR_NAME_SMACKMMAP XATTR_SECURITY_PREFIX XATTR_SMACK_MMAP

+#define XATTR_APPARMOR_SUFFIX "apparmor"
+#define XATTR_NAME_APPARMOR XATTR_SECURITY_PREFIX XATTR_APPARMOR_SUFFIX
+
 #define XATTR_CAPS_SUFFIX "capability"
 #define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX

--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@ -49,6 +49,9 @@ char *evm_config_xattrnames[] = {
 	XATTR_NAME_SMACKMMAP,
 #endif
 #endif
+#ifdef CONFIG_SECURITY_APPARMOR
+	XATTR_NAME_APPARMOR,
+#endif
 #ifdef CONFIG_IMA_APPRAISE
 	XATTR_NAME_IMA,
 #endif