| Message ID | 20180417225601.6965-2-mjg59@google.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Tue, 2018-04-17 at 15:56 -0700, Matthew Garrett wrote: > The kernel is taking security.apparmor into account when validating EVM, > so evmctl should be doing the same. > > Signed-off-by: Matthew Garrett <mjg59@google.com> The XATTR_NAME_APPARMOR is dependent on the version of "/usr/include/linux/xattr.h". Without it defined, evmctl fails to build. Mimi > --- > src/evmctl.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/src/evmctl.c b/src/evmctl.c > index 43d261f..e350f69 100644 > --- a/src/evmctl.c > +++ b/src/evmctl.c > @@ -69,6 +69,7 @@ > static char *evm_default_xattrs[] = { > XATTR_NAME_SELINUX, > XATTR_NAME_SMACK, > + XATTR_NAME_APPARMOR, > XATTR_NAME_IMA, > XATTR_NAME_CAPS, > NULL > @@ -80,6 +81,7 @@ static char *evm_extra_smack_xattrs[] = { > XATTR_NAME_SMACKEXEC, > XATTR_NAME_SMACKTRANSMUTE, > XATTR_NAME_SMACKMMAP, > + XATTR_NAME_APPARMOR, > XATTR_NAME_IMA, > XATTR_NAME_CAPS, > NULL
On Tue, Jun 12, 2018 at 4:42 PM Mimi Zohar <zohar@linux.vnet.ibm.com> wrote: > > On Tue, 2018-04-17 at 15:56 -0700, Matthew Garrett wrote: > > The kernel is taking security.apparmor into account when validating EVM, > > so evmctl should be doing the same. > > > > Signed-off-by: Matthew Garrett <mjg59@google.com> > > The XATTR_NAME_APPARMOR is dependent on the version of > "/usr/include/linux/xattr.h". Without it defined, evmctl fails to > build. Hmm, true. Is it reasonable to just hardcode it rather than using the define?
On Thu, 2018-06-14 at 12:43 -0700, Matthew Garrett wrote: > On Tue, Jun 12, 2018 at 4:42 PM Mimi Zohar <zohar@linux.vnet.ibm.com> wrote: > > > > On Tue, 2018-04-17 at 15:56 -0700, Matthew Garrett wrote: > > > The kernel is taking security.apparmor into account when validating EVM, > > > so evmctl should be doing the same. > > > > > > Signed-off-by: Matthew Garrett <mjg59@google.com> > > > > The XATTR_NAME_APPARMOR is dependent on the version of > > "/usr/include/linux/xattr.h". Without it defined, evmctl fails to > > build. > > Hmm, true. Is it reasonable to just hardcode it rather than using the define? I'm not sure how difficult it would be to tie the package name/version to a specific kernel release. Commit 096b85464832 ("EVM: Include security.apparmor in EVM measurements") was upstreamed in linux-4.15. Mimi
On Thu, 2018-06-14 at 16:41 -0400, Mimi Zohar wrote: > On Thu, 2018-06-14 at 12:43 -0700, Matthew Garrett wrote: > > On Tue, Jun 12, 2018 at 4:42 PM Mimi Zohar <zohar@linux.vnet.ibm.com> wrote: > > > > > > On Tue, 2018-04-17 at 15:56 -0700, Matthew Garrett wrote: > > > > The kernel is taking security.apparmor into account when validating EVM, > > > > so evmctl should be doing the same. > > > > > > > > Signed-off-by: Matthew Garrett <mjg59@google.com> > > > > > > The XATTR_NAME_APPARMOR is dependent on the version of > > > "/usr/include/linux/xattr.h". Without it defined, evmctl fails to > > > build. > > > > Hmm, true. Is it reasonable to just hardcode it rather than using the define? > > I'm not sure how difficult it would be to tie the package name/version > to a specific kernel release. Commit 096b85464832 ("EVM: Include > security.apparmor in EVM measurements") was upstreamed in linux-4.15. Instead, I've made the following change and pushed it out to master. +#ifndef XATTR_APPAARMOR_SUFFIX +#define XATTR_APPARMOR_SUFFIX "apparmor" +#define XATTR_NAME_APPARMOR XATTR_SECURITY_PREFIX XATTR_APPARMOR_SUFFIX +#endif + thanks, Mimi
diff --git a/src/evmctl.c b/src/evmctl.c index 43d261f..e350f69 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -69,6 +69,7 @@ static char *evm_default_xattrs[] = { XATTR_NAME_SELINUX, XATTR_NAME_SMACK, + XATTR_NAME_APPARMOR, XATTR_NAME_IMA, XATTR_NAME_CAPS, NULL @@ -80,6 +81,7 @@ static char *evm_extra_smack_xattrs[] = { XATTR_NAME_SMACKEXEC, XATTR_NAME_SMACKTRANSMUTE, XATTR_NAME_SMACKMMAP, + XATTR_NAME_APPARMOR, XATTR_NAME_IMA, XATTR_NAME_CAPS, NULL
The kernel is taking security.apparmor into account when validating EVM, so evmctl should be doing the same. Signed-off-by: Matthew Garrett <mjg59@google.com> --- src/evmctl.c | 2 ++ 1 file changed, 2 insertions(+)