Changes in Makefile en Copyright 2015 Java ec8f24b7 - treewide: Add SPDX license identifier - Makefile/Kconfig http://172.16.0.5:8080/history/linux-6.15/security/integrity/evm/Makefile#ec8f24b7 treewide: Add SPDX license identifier - Makefile/KconfigAdd SPDX license identifiers to all Make/Kconfig files which: - Have no license information of any formThese files fall under the project license, GPL v2 only. The resulting SPDXlicense identifier is: GPL-2.0-onlySigned-off-by: Thomas Gleixner <tglx@linutronix.de>Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> List of files: /linux-6.15/security/integrity/evm/Makefile Sun, 19 May 2019 12:07:45 +0000 Thomas Gleixner <tglx@linutronix.de> bf6d0f5d - evm: posix acls modify i_mode http://172.16.0.5:8080/history/linux-6.15/security/integrity/evm/Makefile#bf6d0f5d evm: posix acls modify i_modeThe posix xattr acls are 'system' prefixed, which normally would notaffect security.evm. An interesting side affect of writing posix xattracls is their modifying of the i_mode, which is included in security.evm.This patch updates security.evm when posix xattr acls are written.Signed-off-by: Mimi Zohar <zohar@us.ibm.com> List of files: /linux-6.15/security/integrity/evm/Makefile Thu, 18 Aug 2011 22:07:44 +0000 Mimi Zohar <zohar@linux.vnet.ibm.com> 66dbc325 - evm: re-release http://172.16.0.5:8080/history/linux-6.15/security/integrity/evm/Makefile#66dbc325 evm: re-releaseEVM protects a file's security extended attributes(xattrs) against integrityattacks. This patchset provides the framework and an initial method. Theinitial method maintains an HMAC-sha1 value across the security extendedattributes, storing the HMAC value as the extended attribute 'security.evm'.Other methods of validating the integrity of a file's metadata will be postedseparately (eg. EVM-digital-signatures).While this patchset does authenticate the security xattrs, andcryptographically binds them to the inode, coming extensions will bind otherdirectory and inode metadata for more complete protection. To help simplifythe review and upstreaming process, each extension will be posted separately(eg. IMA-appraisal, IMA-appraisal-directory). For a general overview of theproposed Linux integrity subsystem, refer to Dave Safford's whitepaper:http://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf.EVM depends on the Kernel Key Retention System to provide it with atrusted/encrypted key for the HMAC-sha1 operation. The key is loaded onto theroot's keyring using keyctl. Until EVM receives notification that the key hasbeen successfully loaded onto the keyring (echo 1 > <securityfs>/evm), EVM cannot create or validate the 'security.evm' xattr, but returns INTEGRITY_UNKNOWN.Loading the key and signaling EVM should be done as early as possible. Normallythis is done in the initramfs, which has already been measured as part of thetrusted boot. For more information on creating and loading existingtrusted/encrypted keys, refer to Documentation/keys-trusted-encrypted.txt. Asample dracut patch, which loads the trusted/encrypted key and enables EVM, isavailable from http://linux-ima.sourceforge.net/#EVM.Based on the LSMs enabled, the set of EVM protected security xattrs is definedat compile. EVM adds the following three calls to the existing security hooks:evm_inode_setxattr(), evm_inode_post_setxattr(), and evm_inode_removexattr. Toinitialize and update the 'security.evm' extended attribute, EVM defines threecalls: evm_inode_post_init(), evm_inode_post_setattr() andevm_inode_post_removexattr() hooks. To verify the integrity of a securityxattr, EVM exports evm_verifyxattr().Changelog v7:- Fixed URL in EVM ABI documentationChangelog v6: (based on Serge Hallyn's review)- fix URL in patch description- remove evm_hmac_size definition- use SHA1_DIGEST_SIZE (removed both MAX_DIGEST_SIZE and evm_hmac_size)- moved linux include before other includes- test for crypto_hash_setkey failure- fail earlier for invalid key- clear entire encrypted key, even on failure- check xattr name length before comparing xattr namesChangelog:- locking based on i_mutex, remove evm_mutex- using trusted/encrypted keys for storing the EVM key used in the HMAC-sha1 operation.- replaced crypto hash with shash (Dmitry Kasatkin)- support for additional methods of verifying the security xattrs (Dmitry Kasatkin)- iint not allocated for all regular files, but only for those appraised- Use cap_sys_admin in lieu of cap_mac_admin- Use __vfs_setxattr_noperm(), without permission checks, from EVMSigned-off-by: Mimi Zohar <zohar@us.ibm.com>Acked-by: Serge Hallyn <serge.hallyn@canonical.com> List of files: /linux-6.15/security/integrity/evm/Makefile Tue, 15 Mar 2011 20:12:09 +0000 Mimi Zohar <zohar@linux.vnet.ibm.com>