3e38df56e6
Newer versions of SMACK introduced following security xattrs: SMACK64EXEC, SMACK64TRANSMUTE and SMACK64MMAP. To protect these xattrs, this patch includes them in the HMAC calculation. However, for backwards compatibility with existing labeled filesystems, including these xattrs needs to be configurable. Changelog: - Add SMACK dependency on new option (Mimi) Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
53 lines
1.3 KiB
Plaintext
53 lines
1.3 KiB
Plaintext
config EVM
|
|
boolean "EVM support"
|
|
depends on SECURITY
|
|
select KEYS
|
|
select ENCRYPTED_KEYS
|
|
select CRYPTO_HMAC
|
|
select CRYPTO_SHA1
|
|
default n
|
|
help
|
|
EVM protects a file's security extended attributes against
|
|
integrity attacks.
|
|
|
|
If you are unsure how to answer this question, answer N.
|
|
|
|
if EVM
|
|
|
|
menu "EVM options"
|
|
|
|
config EVM_ATTR_FSUUID
|
|
bool "FSUUID (version 2)"
|
|
default y
|
|
depends on EVM
|
|
help
|
|
Include filesystem UUID for HMAC calculation.
|
|
|
|
Default value is 'selected', which is former version 2.
|
|
if 'not selected', it is former version 1
|
|
|
|
WARNING: changing the HMAC calculation method or adding
|
|
additional info to the calculation, requires existing EVM
|
|
labeled file systems to be relabeled.
|
|
|
|
config EVM_EXTRA_SMACK_XATTRS
|
|
bool "Additional SMACK xattrs"
|
|
depends on EVM && SECURITY_SMACK
|
|
default n
|
|
help
|
|
Include additional SMACK xattrs for HMAC calculation.
|
|
|
|
In addition to the original security xattrs (eg. security.selinux,
|
|
security.SMACK64, security.capability, and security.ima) included
|
|
in the HMAC calculation, enabling this option includes newly defined
|
|
Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
|
|
security.SMACK64MMAP.
|
|
|
|
WARNING: changing the HMAC calculation method or adding
|
|
additional info to the calculation, requires existing EVM
|
|
labeled file systems to be relabeled.
|
|
|
|
endmenu
|
|
|
|
endif
|