On Thu, 2023-12-14 at 18:08 +0100, Roberto Sassu wrote:
From: Roberto Sassu roberto.sassu@huawei.com
Move hardcoded IMA function calls (not appraisal-specific functions) from various places in the kernel to the LSM infrastructure, by introducing a new LSM named 'ima' (at the end of the LSM list and always enabled like 'integrity').
Having IMA before EVM in the Makefile is sufficient to preserve the relative order of the new 'ima' LSM in respect to the upcoming 'evm' LSM, and thus the order of IMA and EVM function calls as when they were hardcoded.
Make moved functions as static (except ima_post_key_create_or_update(), which is not in ima_main.c), and register them as implementation of the respective hooks in the new function init_ima_lsm().
A slight difference is that IMA and EVM functions registered for the inode_post_setattr, inode_post_removexattr, path_post_mknod, inode_post_create_tmpfile, inode_post_set_acl and inode_post_remove_acl won't be executed for private inodes. Since those inodes are supposed to be fs-internal, they should not be of interest of IMA or EVM. The S_PRIVATE flag is used for anonymous inodes, hugetlbfs, reiserfs xattrs, XFS scrub and kernel-internal tmpfs files.
Conditionally register ima_post_path_mknod() if CONFIG_SECURITY_PATH is enabled, otherwise the path_post_mknod hook won't be available.
Up to this point, enabling CONFIG_SECURITY_PATH was not required. By making it conditional on CONFIG_SECURITY_PATH, anyone enabling IMA will also need to enable CONFIG_SECURITY_PATH. Without it, new files will not be tagged as a "new" file.
Casey, Paul, how common is it today not to enable CONFIG_SECURITY_PATH? Will enabling it just for IMA be a problem?
Also, conditionally register ima_post_key_create_or_update() if CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS is enabled.
Move integrity_kernel_module_request() to IMA and name it ima_kernel_module_request(), as only appraisal is affected by the crypto subsystem trying to load kernel modules. Conditionally register ima_kernel_module_request() if CONFIG_INTEGRITY_ASYMMETRIC_KEYS is enabled.
The previous version was so clean. Moving integrity_kernel_module_request() to IMA should be a separate patch, probably a prereq. Then like the other functions convert it to an LSM hook.
Please include a line explaning why the original EVM signature is not affected.
Finally, add the LSM_ID_IMA case in lsm_list_modules_test.c.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com Acked-by: Chuck Lever chuck.lever@oracle.com