Merge remote-tracking branch 'integrity/next'

diff --combined security/integrity/evm/evm_crypto.c
index 6b540f1822e0b43c175466615ff78db50b0df0f5,53967699406d1ead2b7e2f95a23960eba209a82c..5e9687f02e1b14e56e56d3a303afbef23ea79dca
--- 1/security/integrity/evm/evm_crypto.c
--- 2/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@@ -112,7 -112,7 +112,7 @@@ static void hmac_add_misc(struct shash_
        hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid);
        hmac_misc.mode = inode->i_mode;
        crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof(hmac_misc));
-       if (evm_hmac_version > 1)
+       if (evm_hmac_attrs & EVM_ATTR_FSUUID)
                crypto_shash_update(desc, inode->i_sb->s_uuid,
                                    sizeof(inode->i_sb->s_uuid));
        crypto_shash_final(desc, digest);
@@@ -139,7 -139,7 +139,7 @@@ static int evm_calc_hmac_or_hash(struc
        int error;
        int size;
  
 -      if (!inode->i_op || !inode->i_op->getxattr)
 +      if (!inode->i_op->getxattr)
                return -EOPNOTSUPP;
        desc = init_desc(type);
        if (IS_ERR(desc))

diff --combined security/integrity/evm/evm_main.c
index 6e0bd933b6a9a8a815f5d57c147f1d18dfbfec36,29cbaeff8292114e9b696fa3850dafbd6bff14da..3bcb80df4d01f1ca30927c7e61c6b2b19b5ca15f
--- 1/security/integrity/evm/evm_main.c
--- 2/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@@ -32,7 -32,7 +32,7 @@@ static char *integrity_status_msg[] = 
  };
  char *evm_hmac = "hmac(sha1)";
  char *evm_hash = "sha1";
- int evm_hmac_version = CONFIG_EVM_HMAC_VERSION;
+ int evm_hmac_attrs;
  
  char *evm_config_xattrnames[] = {
  #ifdef CONFIG_SECURITY_SELINUX
@@@ -40,6 -40,11 +40,11 @@@
  #endif
  #ifdef CONFIG_SECURITY_SMACK
        XATTR_NAME_SMACK,
+ #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
+       XATTR_NAME_SMACKEXEC,
+       XATTR_NAME_SMACKTRANSMUTE,
+       XATTR_NAME_SMACKMMAP,
+ #endif
  #endif
  #ifdef CONFIG_IMA_APPRAISE
        XATTR_NAME_IMA,
@@@ -57,6 -62,14 +62,14 @@@ static int __init evm_set_fixmode(char 
  }
  __setup("evm=", evm_set_fixmode);
  
+ static void __init evm_init_config(void)
+ {
+ #ifdef CONFIG_EVM_ATTR_FSUUID
+       evm_hmac_attrs |= EVM_ATTR_FSUUID;
+ #endif
+       pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
+ }
+ 
  static int evm_find_protected_xattrs(struct dentry *dentry)
  {
        struct inode *inode = dentry->d_inode;
@@@ -64,7 -77,7 +77,7 @@@
        int error;
        int count = 0;
  
 -      if (!inode->i_op || !inode->i_op->getxattr)
 +      if (!inode->i_op->getxattr)
                return -EOPNOTSUPP;
  
        for (xattr = evm_config_xattrnames; *xattr != NULL; xattr++) {
@@@ -287,12 -300,20 +300,20 @@@ out
   * @xattr_value: pointer to the new extended attribute value
   * @xattr_value_len: pointer to the new extended attribute value length
   *
-  * Updating 'security.evm' requires CAP_SYS_ADMIN privileges and that
-  * the current value is valid.
+  * Before allowing the 'security.evm' protected xattr to be updated,
+  * verify the existing value is valid.  As only the kernel should have
+  * access to the EVM encrypted key needed to calculate the HMAC, prevent
+  * userspace from writing HMAC value.  Writing 'security.evm' requires
+  * requires CAP_SYS_ADMIN privileges.
   */
  int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
                       const void *xattr_value, size_t xattr_value_len)
  {
+       const struct evm_ima_xattr_data *xattr_data = xattr_value;
+ 
+       if ((strcmp(xattr_name, XATTR_NAME_EVM) == 0)
+           && (xattr_data->type == EVM_XATTR_HMAC))
+               return -EPERM;
        return evm_protect_xattr(dentry, xattr_name, xattr_value,
                                 xattr_value_len);
  }
@@@ -432,6 -453,8 +453,8 @@@ static int __init init_evm(void
  {
        int error;
  
+       evm_init_config();
+ 
        error = evm_init_secfs();
        if (error < 0) {
                pr_info("Error registering secfs\n");