> From: Christoph Hellwig [mailto:hch@xxxxxxxxxxxxx] > Sent: Thursday, December 2, 2021 9:44 AM > On Thu, Dec 02, 2021 at 07:59:38AM +0000, Roberto Sassu wrote: > > ok, I will send it together with a patch for a not yet accepted > > software, Integrity Policy Enforcement (IPE), that will be > > the primary user of the introduced functionality. > > > > Regarding the patch itself, could you please provide a more > > detailed explanation? > > We don't build things into the kernel just as hooks. So in doubt you > need to restructured the code. And that a security module pokes into > a random block driver is a big hint that whatever you're trying to do is > completely broken. I will add more context to the discussion. The problem being solved is how to grant access to files which satisfy a property defined in the policy. For example, a policy enforced by IPE could be: policy_name="AllowDMVerityKmodules" policy_version=0.0.1 DEFAULT action=ALLOW DEFAULT op=KMODULE action=DENY op=KMODULE dmverity_roothash=3c64aae64ae5e8ca781df4d1fbff7c02cb78c4f18a79198263db192cc7f7ba11 action=ALLOW This would require IPE to obtain somehow this property. So far, there are two different approaches. The first one, proposed by the IPE authors was to define a new LSM hook for block devices, to append a security blob for those devices, and to store the dm-verity root digest as soon as this information can be determined. IPE will then access the security blob at run-time and will match the blob content with the property value in the policy. The second one I'm proposing is to directly retrieve the information at run-time, when files are accessed, and to possibly cache the result of the evaluation per filesystem. This would avoid to the introduction of a new LSM hook and to append a security blob for the purpose of passing information from the device mapper driver to IPE. Security blobs are usually used to store LSM-specific information such as a label (or a reference of it). Sometimes, when the label must be stored persistently, the subsystem responsible for this task, such as the VFS, uses subsystem-defined methods to retrieve the label from the storage and copy it to the security blob. In this case, it is not an LSM-specific information but rather an existing property of another subsystem IPE is interested in. Since LSMs need anyway to inspect the object before making the security decision, they could directly retrieve the information that is already available, instead of making it redundant. Even if I would prefer the second option, it would be fine for me if the first is adopted. Roberto HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Zhong Ronghua