diff mbox series

[v7,22/23] integrity: Remove 'integrity' LSM and move integrity functions to 'ima' LSM

Message ID 20231130231948.2545638-4-roberto.sassu@huaweicloud.com (mailing list archive)
State Superseded
Headers show
Series None | expand

Commit Message

Roberto Sassu Nov. 30, 2023, 11:19 p.m. UTC 
From: Roberto Sassu <roberto.sassu@huawei.com>

Move the 'integrity' LSM tasks to the 'ima' LSM, and remove the former.

In particular, let 'ima' manage integrity metadata by reserving space in
the security blob for a pointer to the integrity_iint_cache structure, by
initializing the corresponding memory cache, and by registering
integrity_inode_free() for the inode_free_security LSM hook.

Also move the global declaration of integrity_inode_get() and
integrity_inode_free() to security/integrity/integrity.h, so that they can
be still called by IMA.

Finally, register integrity_kernel_module_request() in 'ima' for the
kernel_module_request LSM hook, since it is the one affected by the crypto
subsystem trying to load kernel modules, and remove the 'integrity' LSM.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 include/linux/integrity.h         | 26 --------------------------
 security/integrity/iint.c         | 19 ++++++++++++-------
 security/integrity/ima/ima_main.c |  5 +++++
 security/integrity/integrity.h    |  9 +++++++++
 security/security.c               |  9 +--------
 5 files changed, 27 insertions(+), 41 deletions(-)
diff mbox series

Patch

diff --git a/include/linux/integrity.h b/include/linux/integrity.h
index 2ea0f2f65ab6..afaae7ad26f4 100644
--- a/include/linux/integrity.h
+++ b/include/linux/integrity.h
@@ -21,38 +21,12 @@  enum integrity_status {
 
 /* List of EVM protected security xattrs */
 #ifdef CONFIG_INTEGRITY
-extern struct integrity_iint_cache *integrity_inode_get(struct inode *inode);
-extern void integrity_inode_free(struct inode *inode);
 extern void __init integrity_load_keys(void);
 
 #else
-static inline struct integrity_iint_cache *
-				integrity_inode_get(struct inode *inode)
-{
-	return NULL;
-}
-
-static inline void integrity_inode_free(struct inode *inode)
-{
-	return;
-}
-
 static inline void integrity_load_keys(void)
 {
 }
 #endif /* CONFIG_INTEGRITY */
 
-#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
-
-extern int integrity_kernel_module_request(char *kmod_name);
-
-#else
-
-static inline int integrity_kernel_module_request(char *kmod_name)
-{
-	return 0;
-}
-
-#endif /* CONFIG_INTEGRITY_ASYMMETRIC_KEYS */
-
 #endif /* _LINUX_INTEGRITY_H */
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index d4419a2a1e24..c36054041b84 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -127,6 +127,13 @@  struct integrity_iint_cache *integrity_inode_get(struct inode *inode)
 	struct rb_node *node, *parent = NULL;
 	struct integrity_iint_cache *iint, *test_iint;
 
+	/*
+	 * After removing the 'integrity' LSM, the 'ima' LSM calls
+	 * integrity_iintcache_init() to initialize iint_cache.
+	 */
+	if (!IS_ENABLED(CONFIG_IMA))
+		return NULL;
+
 	iint = integrity_iint_find(inode);
 	if (iint)
 		return iint;
@@ -193,19 +200,17 @@  static void iint_init_once(void *foo)
 	memset(iint, 0, sizeof(*iint));
 }
 
-static int __init integrity_iintcache_init(void)
+/*
+ * Initialize the integrity metadata cache from IMA, since it is the only LSM
+ * that really needs it. EVM can work without it.
+ */
+int __init integrity_iintcache_init(void)
 {
 	iint_cache =
 	    kmem_cache_create("iint_cache", sizeof(struct integrity_iint_cache),
 			      0, SLAB_PANIC, iint_init_once);
 	return 0;
 }
-DEFINE_LSM(integrity) = {
-	.name = "integrity",
-	.init = integrity_iintcache_init,
-	.order = LSM_ORDER_LAST,
-};
-
 
 /*
  * integrity_kernel_read - read data from the file
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 079f629bf369..3f59cce3fa02 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -1138,6 +1138,10 @@  static struct security_hook_list ima_hooks[] __ro_after_init = {
 #endif
 #ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS
 	LSM_HOOK_INIT(key_post_create_or_update, ima_post_key_create_or_update),
+#endif
+	LSM_HOOK_INIT(inode_free_security, integrity_inode_free),
+#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
+	LSM_HOOK_INIT(kernel_module_request, integrity_kernel_module_request),
 #endif
 };
 
@@ -1148,6 +1152,7 @@  static const struct lsm_id ima_lsmid = {
 
 static int __init init_ima_lsm(void)
 {
+	integrity_iintcache_init();
 	security_add_hooks(ima_hooks, ARRAY_SIZE(ima_hooks), &ima_lsmid);
 	init_ima_appraise_lsm(&ima_lsmid);
 	return 0;
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 59eaddd84434..26d3b08dca1c 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -180,6 +180,9 @@  struct integrity_iint_cache {
  * integrity data associated with an inode.
  */
 struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
+struct integrity_iint_cache *integrity_inode_get(struct inode *inode);
+void integrity_inode_free(struct inode *inode);
+int __init integrity_iintcache_init(void);
 
 int integrity_kernel_read(struct file *file, loff_t offset,
 			  void *addr, unsigned long count);
@@ -236,12 +239,18 @@  static inline int __init integrity_load_cert(const unsigned int id,
 #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
 int asymmetric_verify(struct key *keyring, const char *sig,
 		      int siglen, const char *data, int datalen);
+int integrity_kernel_module_request(char *kmod_name);
 #else
 static inline int asymmetric_verify(struct key *keyring, const char *sig,
 				    int siglen, const char *data, int datalen)
 {
 	return -EOPNOTSUPP;
 }
+
+static inline int integrity_kernel_module_request(char *kmod_name)
+{
+	return 0;
+}
 #endif
 
 #ifdef CONFIG_IMA_APPRAISE_MODSIG
diff --git a/security/security.c b/security/security.c
index 778043a626a6..351a124b771c 100644
--- a/security/security.c
+++ b/security/security.c
@@ -19,7 +19,6 @@ 
 #include <linux/kernel.h>
 #include <linux/kernel_read_file.h>
 #include <linux/lsm_hooks.h>
-#include <linux/integrity.h>
 #include <linux/fsnotify.h>
 #include <linux/mman.h>
 #include <linux/mount.h>
@@ -1597,7 +1596,6 @@  static void inode_free_by_rcu(struct rcu_head *head)
  */
 void security_inode_free(struct inode *inode)
 {
-	integrity_inode_free(inode);
 	call_void_hook(inode_free_security, inode);
 	/*
 	 * The inode may still be referenced in a path walk and
@@ -3182,12 +3180,7 @@  int security_kernel_create_files_as(struct cred *new, struct inode *inode)
  */
 int security_kernel_module_request(char *kmod_name)
 {
-	int ret;
-
-	ret = call_int_hook(kernel_module_request, 0, kmod_name);
-	if (ret)
-		return ret;
-	return integrity_kernel_module_request(kmod_name);
+	return call_int_hook(kernel_module_request, 0, kmod_name);
 }
 
 /**