diff options
Diffstat (limited to 'ANDROID_3.4.5/security/integrity/evm')
| -rw-r--r-- | ANDROID_3.4.5/security/integrity/evm/Kconfig | 13 | ||||
| -rw-r--r-- | ANDROID_3.4.5/security/integrity/evm/Makefile | 7 | ||||
| -rw-r--r-- | ANDROID_3.4.5/security/integrity/evm/evm.h | 50 | ||||
| -rw-r--r-- | ANDROID_3.4.5/security/integrity/evm/evm_crypto.c | 257 | ||||
| -rw-r--r-- | ANDROID_3.4.5/security/integrity/evm/evm_main.c | 452 | ||||
| -rw-r--r-- | ANDROID_3.4.5/security/integrity/evm/evm_posix_acl.c | 26 | ||||
| -rw-r--r-- | ANDROID_3.4.5/security/integrity/evm/evm_secfs.c | 108 |
7 files changed, 0 insertions, 913 deletions
diff --git a/ANDROID_3.4.5/security/integrity/evm/Kconfig b/ANDROID_3.4.5/security/integrity/evm/Kconfig deleted file mode 100644 index afbb59dd..00000000 --- a/ANDROID_3.4.5/security/integrity/evm/Kconfig +++ /dev/null @@ -1,13 +0,0 @@ -config EVM - boolean "EVM support" - depends on SECURITY && KEYS && (TRUSTED_KEYS=y || TRUSTED_KEYS=n) - select CRYPTO_HMAC - select CRYPTO_MD5 - select CRYPTO_SHA1 - select ENCRYPTED_KEYS - default n - help - EVM protects a file's security extended attributes against - integrity attacks. - - If you are unsure how to answer this question, answer N. diff --git a/ANDROID_3.4.5/security/integrity/evm/Makefile b/ANDROID_3.4.5/security/integrity/evm/Makefile deleted file mode 100644 index 7393c415..00000000 --- a/ANDROID_3.4.5/security/integrity/evm/Makefile +++ /dev/null @@ -1,7 +0,0 @@ -# -# Makefile for building the Extended Verification Module(EVM) -# -obj-$(CONFIG_EVM) += evm.o - -evm-y := evm_main.o evm_crypto.o evm_secfs.o -evm-$(CONFIG_FS_POSIX_ACL) += evm_posix_acl.o diff --git a/ANDROID_3.4.5/security/integrity/evm/evm.h b/ANDROID_3.4.5/security/integrity/evm/evm.h deleted file mode 100644 index c885247e..00000000 --- a/ANDROID_3.4.5/security/integrity/evm/evm.h +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Copyright (C) 2005-2010 IBM Corporation - * - * Authors: - * Mimi Zohar <zohar@us.ibm.com> - * Kylene Hall <kjhall@us.ibm.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, version 2 of the License. - * - * File: evm.h - * - */ - -#ifndef __INTEGRITY_EVM_H -#define __INTEGRITY_EVM_H - -#include <linux/xattr.h> -#include <linux/security.h> - -#include "../integrity.h" - -extern int evm_initialized; -extern char *evm_hmac; -extern char *evm_hash; - -extern struct crypto_shash *hmac_tfm; -extern struct crypto_shash *hash_tfm; - -/* List of EVM protected security xattrs */ -extern char *evm_config_xattrnames[]; - -extern int evm_init_key(void); -extern int evm_update_evmxattr(struct dentry *dentry, - const char *req_xattr_name, - const char *req_xattr_value, - size_t req_xattr_value_len); -extern int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name, - const char *req_xattr_value, - size_t req_xattr_value_len, char *digest); -extern int evm_calc_hash(struct dentry *dentry, const char *req_xattr_name, - const char *req_xattr_value, - size_t req_xattr_value_len, char *digest); -extern int evm_init_hmac(struct inode *inode, const struct xattr *xattr, - char *hmac_val); -extern int evm_init_secfs(void); -extern void evm_cleanup_secfs(void); - -#endif diff --git a/ANDROID_3.4.5/security/integrity/evm/evm_crypto.c b/ANDROID_3.4.5/security/integrity/evm/evm_crypto.c deleted file mode 100644 index 49a464f5..00000000 --- a/ANDROID_3.4.5/security/integrity/evm/evm_crypto.c +++ /dev/null @@ -1,257 +0,0 @@ -/* - * Copyright (C) 2005-2010 IBM Corporation - * - * Authors: - * Mimi Zohar <zohar@us.ibm.com> - * Kylene Hall <kjhall@us.ibm.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, version 2 of the License. - * - * File: evm_crypto.c - * Using root's kernel master key (kmk), calculate the HMAC - */ - -#include <linux/module.h> -#include <linux/crypto.h> -#include <linux/xattr.h> -#include <keys/encrypted-type.h> -#include <crypto/hash.h> -#include "evm.h" - -#define EVMKEY "evm-key" -#define MAX_KEY_SIZE 128 -static unsigned char evmkey[MAX_KEY_SIZE]; -static int evmkey_len = MAX_KEY_SIZE; - -struct crypto_shash *hmac_tfm; -struct crypto_shash *hash_tfm; - -static DEFINE_MUTEX(mutex); - -static struct shash_desc *init_desc(char type) -{ - long rc; - char *algo; - struct crypto_shash **tfm; - struct shash_desc *desc; - - if (type == EVM_XATTR_HMAC) { - tfm = &hmac_tfm; - algo = evm_hmac; - } else { - tfm = &hash_tfm; - algo = evm_hash; - } - - if (*tfm == NULL) { - mutex_lock(&mutex); - if (*tfm) - goto out; - *tfm = crypto_alloc_shash(algo, 0, CRYPTO_ALG_ASYNC); - if (IS_ERR(*tfm)) { - rc = PTR_ERR(*tfm); - pr_err("Can not allocate %s (reason: %ld)\n", algo, rc); - *tfm = NULL; - mutex_unlock(&mutex); - return ERR_PTR(rc); - } - if (type == EVM_XATTR_HMAC) { - rc = crypto_shash_setkey(*tfm, evmkey, evmkey_len); - if (rc) { - crypto_free_shash(*tfm); - *tfm = NULL; - mutex_unlock(&mutex); - return ERR_PTR(rc); - } - } -out: - mutex_unlock(&mutex); - } - - desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(*tfm), - GFP_KERNEL); - if (!desc) - return ERR_PTR(-ENOMEM); - - desc->tfm = *tfm; - desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; - - rc = crypto_shash_init(desc); - if (rc) { - kfree(desc); - return ERR_PTR(rc); - } - return desc; -} - -/* Protect against 'cutting & pasting' security.evm xattr, include inode - * specific info. - * - * (Additional directory/file metadata needs to be added for more complete - * protection.) - */ -static void hmac_add_misc(struct shash_desc *desc, struct inode *inode, - char *digest) -{ - struct h_misc { - unsigned long ino; - __u32 generation; - uid_t uid; - gid_t gid; - umode_t mode; - } hmac_misc; - - memset(&hmac_misc, 0, sizeof hmac_misc); - hmac_misc.ino = inode->i_ino; - hmac_misc.generation = inode->i_generation; - hmac_misc.uid = inode->i_uid; - hmac_misc.gid = inode->i_gid; - hmac_misc.mode = inode->i_mode; - crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof hmac_misc); - crypto_shash_final(desc, digest); -} - -/* - * Calculate the HMAC value across the set of protected security xattrs. - * - * Instead of retrieving the requested xattr, for performance, calculate - * the hmac using the requested xattr value. Don't alloc/free memory for - * each xattr, but attempt to re-use the previously allocated memory. - */ -static int evm_calc_hmac_or_hash(struct dentry *dentry, - const char *req_xattr_name, - const char *req_xattr_value, - size_t req_xattr_value_len, - char type, char *digest) -{ - struct inode *inode = dentry->d_inode; - struct shash_desc *desc; - char **xattrname; - size_t xattr_size = 0; - char *xattr_value = NULL; - int error; - int size; - - if (!inode->i_op || !inode->i_op->getxattr) - return -EOPNOTSUPP; - desc = init_desc(type); - if (IS_ERR(desc)) - return PTR_ERR(desc); - - error = -ENODATA; - for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) { - if ((req_xattr_name && req_xattr_value) - && !strcmp(*xattrname, req_xattr_name)) { - error = 0; - crypto_shash_update(desc, (const u8 *)req_xattr_value, - req_xattr_value_len); - continue; - } - size = vfs_getxattr_alloc(dentry, *xattrname, - &xattr_value, xattr_size, GFP_NOFS); - if (size == -ENOMEM) { - error = -ENOMEM; - goto out; - } - if (size < 0) - continue; - - error = 0; - xattr_size = size; - crypto_shash_update(desc, (const u8 *)xattr_value, xattr_size); - } - hmac_add_misc(desc, inode, digest); - -out: - kfree(xattr_value); - kfree(desc); - return error; -} - -int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name, - const char *req_xattr_value, size_t req_xattr_value_len, - char *digest) -{ - return evm_calc_hmac_or_hash(dentry, req_xattr_name, req_xattr_value, - req_xattr_value_len, EVM_XATTR_HMAC, digest); -} - -int evm_calc_hash(struct dentry *dentry, const char *req_xattr_name, - const char *req_xattr_value, size_t req_xattr_value_len, - char *digest) -{ - return evm_calc_hmac_or_hash(dentry, req_xattr_name, req_xattr_value, - req_xattr_value_len, IMA_XATTR_DIGEST, digest); -} - -/* - * Calculate the hmac and update security.evm xattr - * - * Expects to be called with i_mutex locked. - */ -int evm_update_evmxattr(struct dentry *dentry, const char *xattr_name, - const char *xattr_value, size_t xattr_value_len) -{ - struct inode *inode = dentry->d_inode; - struct evm_ima_xattr_data xattr_data; - int rc = 0; - - rc = evm_calc_hmac(dentry, xattr_name, xattr_value, - xattr_value_len, xattr_data.digest); - if (rc == 0) { - xattr_data.type = EVM_XATTR_HMAC; - rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_EVM, - &xattr_data, - sizeof(xattr_data), 0); - } - else if (rc == -ENODATA) - rc = inode->i_op->removexattr(dentry, XATTR_NAME_EVM); - return rc; -} - -int evm_init_hmac(struct inode *inode, const struct xattr *lsm_xattr, - char *hmac_val) -{ - struct shash_desc *desc; - - desc = init_desc(EVM_XATTR_HMAC); - if (IS_ERR(desc)) { - printk(KERN_INFO "init_desc failed\n"); - return PTR_ERR(desc); - } - - crypto_shash_update(desc, lsm_xattr->value, lsm_xattr->value_len); - hmac_add_misc(desc, inode, hmac_val); - kfree(desc); - return 0; -} - -/* - * Get the key from the TPM for the SHA1-HMAC - */ -int evm_init_key(void) -{ - struct key *evm_key; - struct encrypted_key_payload *ekp; - int rc = 0; - - evm_key = request_key(&key_type_encrypted, EVMKEY, NULL); - if (IS_ERR(evm_key)) - return -ENOENT; - - down_read(&evm_key->sem); - ekp = evm_key->payload.data; - if (ekp->decrypted_datalen > MAX_KEY_SIZE) { - rc = -EINVAL; - goto out; - } - memcpy(evmkey, ekp->decrypted_data, ekp->decrypted_datalen); -out: - /* burn the original key contents */ - memset(ekp->decrypted_data, 0, ekp->decrypted_datalen); - up_read(&evm_key->sem); - key_put(evm_key); - return rc; -} diff --git a/ANDROID_3.4.5/security/integrity/evm/evm_main.c b/ANDROID_3.4.5/security/integrity/evm/evm_main.c deleted file mode 100644 index 89015014..00000000 --- a/ANDROID_3.4.5/security/integrity/evm/evm_main.c +++ /dev/null @@ -1,452 +0,0 @@ -/* - * Copyright (C) 2005-2010 IBM Corporation - * - * Author: - * Mimi Zohar <zohar@us.ibm.com> - * Kylene Hall <kjhall@us.ibm.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, version 2 of the License. - * - * File: evm_main.c - * implements evm_inode_setxattr, evm_inode_post_setxattr, - * evm_inode_removexattr, and evm_verifyxattr - */ - -#include <linux/module.h> -#include <linux/crypto.h> -#include <linux/xattr.h> -#include <linux/integrity.h> -#include <linux/evm.h> -#include <crypto/hash.h> -#include "evm.h" - -int evm_initialized; - -char *evm_hmac = "hmac(sha1)"; -char *evm_hash = "sha1"; - -char *evm_config_xattrnames[] = { -#ifdef CONFIG_SECURITY_SELINUX - XATTR_NAME_SELINUX, -#endif -#ifdef CONFIG_SECURITY_SMACK - XATTR_NAME_SMACK, -#endif - XATTR_NAME_CAPS, - NULL -}; - -static int evm_fixmode; -static int __init evm_set_fixmode(char *str) -{ - if (strncmp(str, "fix", 3) == 0) - evm_fixmode = 1; - return 0; -} -__setup("evm=", evm_set_fixmode); - -static int evm_find_protected_xattrs(struct dentry *dentry) -{ - struct inode *inode = dentry->d_inode; - char **xattr; - int error; - int count = 0; - - if (!inode->i_op || !inode->i_op->getxattr) - return -EOPNOTSUPP; - - for (xattr = evm_config_xattrnames; *xattr != NULL; xattr++) { - error = inode->i_op->getxattr(dentry, *xattr, NULL, 0); - if (error < 0) { - if (error == -ENODATA) - continue; - return error; - } - count++; - } - - return count; -} - -/* - * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr - * - * Compute the HMAC on the dentry's protected set of extended attributes - * and compare it against the stored security.evm xattr. - * - * For performance: - * - use the previoulsy retrieved xattr value and length to calculate the - * HMAC.) - * - cache the verification result in the iint, when available. - * - * Returns integrity status - */ -static enum integrity_status evm_verify_hmac(struct dentry *dentry, - const char *xattr_name, - char *xattr_value, - size_t xattr_value_len, - struct integrity_iint_cache *iint) -{ - struct evm_ima_xattr_data *xattr_data = NULL; - struct evm_ima_xattr_data calc; - enum integrity_status evm_status = INTEGRITY_PASS; - int rc, xattr_len; - - if (iint && iint->evm_status == INTEGRITY_PASS) - return iint->evm_status; - - /* if status is not PASS, try to check again - against -ENOMEM */ - - /* first need to know the sig type */ - rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0, - GFP_NOFS); - if (rc <= 0) { - if (rc == 0) - evm_status = INTEGRITY_FAIL; /* empty */ - else if (rc == -ENODATA) { - rc = evm_find_protected_xattrs(dentry); - if (rc > 0) - evm_status = INTEGRITY_NOLABEL; - else if (rc == 0) - evm_status = INTEGRITY_NOXATTRS; /* new file */ - } - goto out; - } - - xattr_len = rc - 1; - - /* check value type */ - switch (xattr_data->type) { - case EVM_XATTR_HMAC: - rc = evm_calc_hmac(dentry, xattr_name, xattr_value, - xattr_value_len, calc.digest); - if (rc) - break; - rc = memcmp(xattr_data->digest, calc.digest, - sizeof(calc.digest)); - if (rc) - rc = -EINVAL; - break; - case EVM_IMA_XATTR_DIGSIG: - rc = evm_calc_hash(dentry, xattr_name, xattr_value, - xattr_value_len, calc.digest); - if (rc) - break; - rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, - xattr_data->digest, xattr_len, - calc.digest, sizeof(calc.digest)); - if (!rc) { - /* we probably want to replace rsa with hmac here */ - evm_update_evmxattr(dentry, xattr_name, xattr_value, - xattr_value_len); - } - break; - default: - rc = -EINVAL; - break; - } - - if (rc) - evm_status = (rc == -ENODATA) ? - INTEGRITY_NOXATTRS : INTEGRITY_FAIL; -out: - if (iint) - iint->evm_status = evm_status; - kfree(xattr_data); - return evm_status; -} - -static int evm_protected_xattr(const char *req_xattr_name) -{ - char **xattrname; - int namelen; - int found = 0; - - namelen = strlen(req_xattr_name); - for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) { - if ((strlen(*xattrname) == namelen) - && (strncmp(req_xattr_name, *xattrname, namelen) == 0)) { - found = 1; - break; - } - if (strncmp(req_xattr_name, - *xattrname + XATTR_SECURITY_PREFIX_LEN, - strlen(req_xattr_name)) == 0) { - found = 1; - break; - } - } - return found; -} - -/** - * evm_verifyxattr - verify the integrity of the requested xattr - * @dentry: object of the verify xattr - * @xattr_name: requested xattr - * @xattr_value: requested xattr value - * @xattr_value_len: requested xattr value length - * - * Calculate the HMAC for the given dentry and verify it against the stored - * security.evm xattr. For performance, use the xattr value and length - * previously retrieved to calculate the HMAC. - * - * Returns the xattr integrity status. - * - * This function requires the caller to lock the inode's i_mutex before it - * is executed. - */ -enum integrity_status evm_verifyxattr(struct dentry *dentry, - const char *xattr_name, - void *xattr_value, size_t xattr_value_len, - struct integrity_iint_cache *iint) -{ - if (!evm_initialized || !evm_protected_xattr(xattr_name)) - return INTEGRITY_UNKNOWN; - - if (!iint) { - iint = integrity_iint_find(dentry->d_inode); - if (!iint) - return INTEGRITY_UNKNOWN; - } - return evm_verify_hmac(dentry, xattr_name, xattr_value, - xattr_value_len, iint); -} -EXPORT_SYMBOL_GPL(evm_verifyxattr); - -/* - * evm_verify_current_integrity - verify the dentry's metadata integrity - * @dentry: pointer to the affected dentry - * - * Verify and return the dentry's metadata integrity. The exceptions are - * before EVM is initialized or in 'fix' mode. - */ -static enum integrity_status evm_verify_current_integrity(struct dentry *dentry) -{ - struct inode *inode = dentry->d_inode; - - if (!evm_initialized || !S_ISREG(inode->i_mode) || evm_fixmode) - return 0; - return evm_verify_hmac(dentry, NULL, NULL, 0, NULL); -} - -/* - * evm_protect_xattr - protect the EVM extended attribute - * - * Prevent security.evm from being modified or removed without the - * necessary permissions or when the existing value is invalid. - * - * The posix xattr acls are 'system' prefixed, which normally would not - * affect security.evm. An interesting side affect of writing posix xattr - * acls is their modifying of the i_mode, which is included in security.evm. - * For posix xattr acls only, permit security.evm, even if it currently - * doesn't exist, to be updated. - */ -static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, - const void *xattr_value, size_t xattr_value_len) -{ - enum integrity_status evm_status; - - if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; - } else if (!evm_protected_xattr(xattr_name)) { - if (!posix_xattr_acl(xattr_name)) - return 0; - evm_status = evm_verify_current_integrity(dentry); - if ((evm_status == INTEGRITY_PASS) || - (evm_status == INTEGRITY_NOXATTRS)) - return 0; - return -EPERM; - } - evm_status = evm_verify_current_integrity(dentry); - return evm_status == INTEGRITY_PASS ? 0 : -EPERM; -} - -/** - * evm_inode_setxattr - protect the EVM extended attribute - * @dentry: pointer to the affected dentry - * @xattr_name: pointer to the affected extended attribute name - * @xattr_value: pointer to the new extended attribute value - * @xattr_value_len: pointer to the new extended attribute value length - * - * Updating 'security.evm' requires CAP_SYS_ADMIN privileges and that - * the current value is valid. - */ -int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, - const void *xattr_value, size_t xattr_value_len) -{ - return evm_protect_xattr(dentry, xattr_name, xattr_value, - xattr_value_len); -} - -/** - * evm_inode_removexattr - protect the EVM extended attribute - * @dentry: pointer to the affected dentry - * @xattr_name: pointer to the affected extended attribute name - * - * Removing 'security.evm' requires CAP_SYS_ADMIN privileges and that - * the current value is valid. - */ -int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) -{ - return evm_protect_xattr(dentry, xattr_name, NULL, 0); -} - -/** - * evm_inode_post_setxattr - update 'security.evm' to reflect the changes - * @dentry: pointer to the affected dentry - * @xattr_name: pointer to the affected extended attribute name - * @xattr_value: pointer to the new extended attribute value - * @xattr_value_len: pointer to the new extended attribute value length - * - * Update the HMAC stored in 'security.evm' to reflect the change. - * - * No need to take the i_mutex lock here, as this function is called from - * __vfs_setxattr_noperm(). The caller of which has taken the inode's - * i_mutex lock. - */ -void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, - const void *xattr_value, size_t xattr_value_len) -{ - if (!evm_initialized || (!evm_protected_xattr(xattr_name) - && !posix_xattr_acl(xattr_name))) - return; - - evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); - return; -} - -/** - * evm_inode_post_removexattr - update 'security.evm' after removing the xattr - * @dentry: pointer to the affected dentry - * @xattr_name: pointer to the affected extended attribute name - * - * Update the HMAC stored in 'security.evm' to reflect removal of the xattr. - */ -void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) -{ - struct inode *inode = dentry->d_inode; - - if (!evm_initialized || !evm_protected_xattr(xattr_name)) - return; - - mutex_lock(&inode->i_mutex); - evm_update_evmxattr(dentry, xattr_name, NULL, 0); - mutex_unlock(&inode->i_mutex); - return; -} - -/** - * evm_inode_setattr - prevent updating an invalid EVM extended attribute - * @dentry: pointer to the affected dentry - */ -int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) -{ - unsigned int ia_valid = attr->ia_valid; - enum integrity_status evm_status; - - if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) - return 0; - evm_status = evm_verify_current_integrity(dentry); - if ((evm_status == INTEGRITY_PASS) || - (evm_status == INTEGRITY_NOXATTRS)) - return 0; - return -EPERM; -} - -/** - * evm_inode_post_setattr - update 'security.evm' after modifying metadata - * @dentry: pointer to the affected dentry - * @ia_valid: for the UID and GID status - * - * For now, update the HMAC stored in 'security.evm' to reflect UID/GID - * changes. - * - * This function is called from notify_change(), which expects the caller - * to lock the inode's i_mutex. - */ -void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) -{ - if (!evm_initialized) - return; - - if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) - evm_update_evmxattr(dentry, NULL, NULL, 0); - return; -} - -/* - * evm_inode_init_security - initializes security.evm - */ -int evm_inode_init_security(struct inode *inode, - const struct xattr *lsm_xattr, - struct xattr *evm_xattr) -{ - struct evm_ima_xattr_data *xattr_data; - int rc; - - if (!evm_initialized || !evm_protected_xattr(lsm_xattr->name)) - return 0; - - xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); - if (!xattr_data) - return -ENOMEM; - - xattr_data->type = EVM_XATTR_HMAC; - rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); - if (rc < 0) - goto out; - - evm_xattr->value = xattr_data; - evm_xattr->value_len = sizeof(*xattr_data); - evm_xattr->name = kstrdup(XATTR_EVM_SUFFIX, GFP_NOFS); - return 0; -out: - kfree(xattr_data); - return rc; -} -EXPORT_SYMBOL_GPL(evm_inode_init_security); - -static int __init init_evm(void) -{ - int error; - - error = evm_init_secfs(); - if (error < 0) { - printk(KERN_INFO "EVM: Error registering secfs\n"); - goto err; - } - - return 0; -err: - return error; -} - -static void __exit cleanup_evm(void) -{ - evm_cleanup_secfs(); - if (hmac_tfm) - crypto_free_shash(hmac_tfm); - if (hash_tfm) - crypto_free_shash(hash_tfm); -} - -/* - * evm_display_config - list the EVM protected security extended attributes - */ -static int __init evm_display_config(void) -{ - char **xattrname; - - for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) - printk(KERN_INFO "EVM: %s\n", *xattrname); - return 0; -} - -pure_initcall(evm_display_config); -late_initcall(init_evm); - -MODULE_DESCRIPTION("Extended Verification Module"); -MODULE_LICENSE("GPL"); diff --git a/ANDROID_3.4.5/security/integrity/evm/evm_posix_acl.c b/ANDROID_3.4.5/security/integrity/evm/evm_posix_acl.c deleted file mode 100644 index b1753e98..00000000 --- a/ANDROID_3.4.5/security/integrity/evm/evm_posix_acl.c +++ /dev/null @@ -1,26 +0,0 @@ -/* - * Copyright (C) 2011 IBM Corporation - * - * Author: - * Mimi Zohar <zohar@us.ibm.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, version 2 of the License. - */ - -#include <linux/module.h> -#include <linux/xattr.h> - -int posix_xattr_acl(char *xattr) -{ - int xattr_len = strlen(xattr); - - if ((strlen(XATTR_NAME_POSIX_ACL_ACCESS) == xattr_len) - && (strncmp(XATTR_NAME_POSIX_ACL_ACCESS, xattr, xattr_len) == 0)) - return 1; - if ((strlen(XATTR_NAME_POSIX_ACL_DEFAULT) == xattr_len) - && (strncmp(XATTR_NAME_POSIX_ACL_DEFAULT, xattr, xattr_len) == 0)) - return 1; - return 0; -} diff --git a/ANDROID_3.4.5/security/integrity/evm/evm_secfs.c b/ANDROID_3.4.5/security/integrity/evm/evm_secfs.c deleted file mode 100644 index ac762995..00000000 --- a/ANDROID_3.4.5/security/integrity/evm/evm_secfs.c +++ /dev/null @@ -1,108 +0,0 @@ -/* - * Copyright (C) 2010 IBM Corporation - * - * Authors: - * Mimi Zohar <zohar@us.ibm.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, version 2 of the License. - * - * File: evm_secfs.c - * - Used to signal when key is on keyring - * - Get the key and enable EVM - */ - -#include <linux/uaccess.h> -#include <linux/module.h> -#include "evm.h" - -static struct dentry *evm_init_tpm; - -/** - * evm_read_key - read() for <securityfs>/evm - * - * @filp: file pointer, not actually used - * @buf: where to put the result - * @count: maximum to send along - * @ppos: where to start - * - * Returns number of bytes read or error code, as appropriate - */ -static ssize_t evm_read_key(struct file *filp, char __user *buf, - size_t count, loff_t *ppos) -{ - char temp[80]; - ssize_t rc; - - if (*ppos != 0) - return 0; - - sprintf(temp, "%d", evm_initialized); - rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); - - return rc; -} - -/** - * evm_write_key - write() for <securityfs>/evm - * @file: file pointer, not actually used - * @buf: where to get the data from - * @count: bytes sent - * @ppos: where to start - * - * Used to signal that key is on the kernel key ring. - * - get the integrity hmac key from the kernel key ring - * - create list of hmac protected extended attributes - * Returns number of bytes written or error code, as appropriate - */ -static ssize_t evm_write_key(struct file *file, const char __user *buf, - size_t count, loff_t *ppos) -{ - char temp[80]; - int i, error; - - if (!capable(CAP_SYS_ADMIN) || evm_initialized) - return -EPERM; - - if (count >= sizeof(temp) || count == 0) - return -EINVAL; - - if (copy_from_user(temp, buf, count) != 0) - return -EFAULT; - - temp[count] = '\0'; - - if ((sscanf(temp, "%d", &i) != 1) || (i != 1)) - return -EINVAL; - - error = evm_init_key(); - if (!error) { - evm_initialized = 1; - pr_info("EVM: initialized\n"); - } else - pr_err("EVM: initialization failed\n"); - return count; -} - -static const struct file_operations evm_key_ops = { - .read = evm_read_key, - .write = evm_write_key, -}; - -int __init evm_init_secfs(void) -{ - int error = 0; - - evm_init_tpm = securityfs_create_file("evm", S_IRUSR | S_IRGRP, - NULL, NULL, &evm_key_ops); - if (!evm_init_tpm || IS_ERR(evm_init_tpm)) - error = -EFAULT; - return error; -} - -void __exit evm_cleanup_secfs(void) -{ - if (evm_init_tpm) - securityfs_remove(evm_init_tpm); -} |