evm: provide option to protect additional SMACK xattrs

[linux-beck.git] / security / integrity / evm / Kconfig

diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index 0df4f7a2f1e9dba7ecfbb3bd5a5fd7532a08ea53..d606f3d12d6bfb8f27d849a3b4fa9fc9ee411875 100644 (file)
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -30,6 +30,23 @@ config EVM_ATTR_FSUUID
          additional info to the calculation, requires existing EVM
          labeled file systems to be relabeled.
 
+config EVM_EXTRA_SMACK_XATTRS
+       bool "Additional SMACK xattrs"
+       depends on EVM && SECURITY_SMACK
+       default n
+       help
+         Include additional SMACK xattrs for HMAC calculation.
+
+         In addition to the original security xattrs (eg. security.selinux,
+         security.SMACK64, security.capability, and security.ima) included
+         in the HMAC calculation, enabling this option includes newly defined
+         Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
+         security.SMACK64MMAP.
+
+         WARNING: changing the HMAC calculation method or adding
+         additional info to the calculation, requires existing EVM
+         labeled file systems to be relabeled.
+
 endmenu
 
 endif