From patchwork Fri Oct 13 22:09:25 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Garrett <mjg59@google.com>
X-Patchwork-Id: 10006051
Return-Path: <linux-integrity-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	EBBD160230 for <patchwork-linux-integrity@patchwork.kernel.org>;
	Fri, 13 Oct 2017 22:09:40 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DA64229173
	for <patchwork-linux-integrity@patchwork.kernel.org>;
	Fri, 13 Oct 2017 22:09:40 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id CEFF32917C; Fri, 13 Oct 2017 22:09:40 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 621B429173
	for <patchwork-linux-integrity@patchwork.kernel.org>;
	Fri, 13 Oct 2017 22:09:38 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751414AbdJMWJi (ORCPT
	<rfc822;patchwork-linux-integrity@patchwork.kernel.org>);
	Fri, 13 Oct 2017 18:09:38 -0400
Received: from mail-oi0-f74.google.com ([209.85.218.74]:54111 "EHLO
	mail-oi0-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751081AbdJMWJh (ORCPT
	<rfc822;linux-integrity@vger.kernel.org>);
	Fri, 13 Oct 2017 18:09:37 -0400
Received: by mail-oi0-f74.google.com with SMTP id q4so6982552oic.12
	for <linux-integrity@vger.kernel.org>;
	Fri, 13 Oct 2017 15:09:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20161025;
	h=mime-version:date:message-id:subject:from:to:cc;
	bh=VRBbYdzu0dZbW74tcKFZ2WqjZhSM6+kyAX2+2pMgdT0=;
	b=SJJgbarPIt2vNi3ryK/XNFgwtuQK8imAtHk70wfhMqyaLsFddluGEyOtbMCIRnKtSk
	sPcsCtUBook4GA1NO6Y33fkV+9zSiRWIlPAQrmXQJkUXLgnPB3pcadHw/XXDSfMnjWfc
	RkdkWw9X+2nbZsX4wGEvDt1BWxDxRER9jttsGreoBIO7P2VupHE7CE/nOqYeEj14iixS
	Jm+7bVwI5Nq0dagKQxjx5ctrajmeCTE2zwvFpeuG0z+ZZ8FIwHdODONfMksqV/m/32n/
	nHa/055pZTnfW9vzEMX4RLzkOPHF2XTOt3rkEvy/glBXVPIaeeaPTYTlQYD6/IWgwoMO
	iRKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc;
	bh=VRBbYdzu0dZbW74tcKFZ2WqjZhSM6+kyAX2+2pMgdT0=;
	b=AKfcISLPJJD+qdafzzgaVjCZpa5BvdrDqBeweH8EsDf9ipHKzTjc9N+Q0rfGTHavEZ
	BvxQ2N0MhgFBs+mp/c9SVJ3oz7Iimwsxs5gTo79QGi8MpmzzGwXBnphHB1jwVnUXUFXw
	A+Qc7r59tAVIRCQO+LsT/gK445TMK0zIJCtWuRNCc/RcuDXWKOCtxfP+LnFMBH7Lwzzs
	ryBlGk+OOzW/q0+3dCCLWx4UcTAMgRF1rWdgAS2Ieq4Vtqdi71AEOzkzMPffFNCWrIW2
	hRwaqPViWCDdG/cAxKkCraD6Bg2nn37O+Sb9UBHGiZg+Sa3v3vedRjm4X2cJQvAZr4Ys
	tEqQ==
X-Gm-Message-State: AMCzsaXEdfsY2PZq0z7y6rSgi7iJafEeoRj5eE4S6/ct1UQjxYwbOli1
	hTVJeDbs/s5yKf2HaOYrPVJ1M2nK0yzu6kXJs4cg3ZMe6m9k/pJsHtSQUvZpGBzWLMemPcqcG1f
	1W/LuqGaPY3CUXckOZRFwwHCYWaIVHuq1Axk=
X-Google-Smtp-Source: 
 AOwi7QDkurAj+5A1a64+hBLBBCQz0zUapTB/TE9U0TKIb8L64sJ3GZX/iEg08MN8dPpi8oSxnKvuH+3PdqqsHoyINM4jQA==
MIME-Version: 1.0
X-Received: by 10.157.19.52 with SMTP id f49mr1544047ote.43.1507932576765;
	Fri, 13 Oct 2017 15:09:36 -0700 (PDT)
Date: Fri, 13 Oct 2017 15:09:25 -0700
Message-Id: <20171013220925.6420-1-mjg59@google.com>
X-Mailer: git-send-email 2.15.0.rc0.271.g36b669edcc-goog
Subject: [PATCH] EVM: Include security.apparmor in EVM measurements
From: Matthew Garrett <mjg59@google.com>
To: linux-integrity@vger.kernel.org
Cc: zohar@linux.vnet.ibm.com, john.johansen@canonical.com,
	Matthew Garrett <mjg59@google.com>
Sender: linux-integrity-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-integrity.vger.kernel.org>
X-Mailing-List: linux-integrity@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Apparmor will be gaining support for security.apparmor labels, and it
would be helpful to include these in EVM validation now so appropriate
signatures can be generated even before full support is merged.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Acked-by: John Johansen <John.johansen@canonical.com>
---
 include/uapi/linux/xattr.h        | 3 +++
 security/integrity/evm/evm_main.c | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h
index 1590c49cae57..e630b9cd70cb 100644
--- a/include/uapi/linux/xattr.h
+++ b/include/uapi/linux/xattr.h
@@ -65,6 +65,9 @@
 #define XATTR_NAME_SMACKTRANSMUTE XATTR_SECURITY_PREFIX XATTR_SMACK_TRANSMUTE
 #define XATTR_NAME_SMACKMMAP XATTR_SECURITY_PREFIX XATTR_SMACK_MMAP
 
+#define XATTR_APPARMOR_SUFFIX "apparmor"
+#define XATTR_NAME_APPARMOR XATTR_SECURITY_PREFIX XATTR_APPARMOR_SUFFIX
+
 #define XATTR_CAPS_SUFFIX "capability"
 #define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
 
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 40bf3a20605d..78a5b1fddfc7 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -49,6 +49,9 @@ char *evm_config_xattrnames[] = {
 	XATTR_NAME_SMACKMMAP,
 #endif
 #endif
+#ifdef CONFIG_SECURITY_APPARMOR
+	XATTR_NAME_APPARMOR,
+#endif
 #ifdef CONFIG_IMA_APPRAISE
 	XATTR_NAME_IMA,
 #endif