When rootfs supports extended attributes and CONFIG_IMA_APPRAISE_ROOTFS
is enabled, appraise the xattrs.
Changelog v1:
- limit appraising tmpfs to rootfs
- define new IMA_APPRAISE_ROOTFS Kconfig option (based on Josh Boyer's
comment).
Signed-off-by: Mimi Zohar
---
security/integrity/ima/Kconfig
Either we keep the current field ordering, making some fields
64 bits or move the larger fields to the end. This patch keeps
the same field ordering.
Requested-by: Rob Landley
Signed-off-by: Mimi Zohar
---
usr/gen_init_cpio.c | 25 -
1 file changed, 16 insertions(+), 9
Support the new gen_init_cpio option to include extended attributes.
This patch adds support for the "-x" option and passes it to
gen_init_cpio.
Signed-off-by: Mimi Zohar
---
scripts/gen_initramfs_list.sh | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/scripts/gen_init
The same printf format string is used in a number of places. This
patch replaces the inline format string with a single common variable
called newcfmt.
Signed-off-by: Mimi Zohar
---
usr/gen_init_cpio.c | 18 --
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/usr/g
This patch defines a new CPIO method 070703 for including xattrs.
The new format extends the existing NEWC header to include the
buffer size containing the number of xattrs, the xattr(s) name,
data size, and data.
Signed-off-by: Mimi Zohar
---
usr/gen_init_cpio.c | 35 ++-
Both the EVM HMAC and signature xattr formats are file system
specific and can not be copied from one filesystem to another.
EVM differentiates files without any xattrs (INTEGRITY_UNKNOWN)
from those having protected xattrs (INTEGRITY_NOLABEL). This
patch treats the rootfs filesystem as a special
In preparation for adding xattr support, read the CPIO method
separately from the rest of the header.
Signed-off-by: Mimi Zohar
---
init/initramfs.c | 12 ++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/init/initramfs.c b/init/initramfs.c
index ad1bd77..bb51b5b 100644
Either we keep the current field ordering, making some fields
64 bits, or move the larger fields to the end. This patch keeps
the same field ordering.
Requested-by: Rob Landley
Signed-off-by: Mimi Zohar
---
init/initramfs.c | 30 +++---
1 file changed, 19 insertions(+),
This patch reads the xattr(s), creating a buffer containing the
number of xattrs, the xattr(s) name, data size, and data. The
resulting buffer size is included in the CPIO header and the
buffer data is written after the file name.
This patch also defines the '-x' option to enable the inclusion
of
This patch writes out the extended attributes included in the cpio file.
As the "security.ima" xattr needs to be written after the file data,
this patch separates extracting and setting the xattrs by defining two
new states "GotXattrs" and "SetXattrs".
Changelog:
- "way too trusting of input data"
Many of the Linux security/integrity features are dependent on file
metadata, stored as extended attributes (xattrs), for making decisions.
These features need to be initialized during initcall and enabled as
early as possible for complete security coverage.
The linux kernel creates the rootfs fi
Replace existing obsolete simple_strtoul() call with kstrtoul(),
before making other changes.
Signed-off-by: Mimi Zohar
---
init/initramfs.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/init/initramfs.c b/init/initramfs.c
index bb51b5b..5dd93ca 100644
--- a/init/initra
12 matches
Mail list logo