On Thu, Aug 31, 2023 at 01:37:59PM +0200, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > Remove hardcoded IMA function calls (not for appraisal) from the LSM > infrastructure, the VFS, NFS and the key subsystem. > > Make those functions as static (except for ima_file_check() which is > exported, and ima_post_key_create_or_update(), which is not in ima_main.c), > and register them as implementation of the respective hooks in the new > function init_ima_lsm(). > > Call init_ima_lsm() from integrity_lsm_init() (renamed from > integrity_iintcache_init()), to make sure that the integrity subsystem is > ready at the time IMA hooks are registered. The same will be done for EVM, > by calling init_evm_lsm() just after init_ima_lsm(). > > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > --- > fs/file_table.c | 2 - > fs/namei.c | 7 --- > fs/nfsd/vfs.c | 7 --- For the NFSD part: Acked-by: Chuck Lever <chuck.lever@xxxxxxxxxx> > fs/open.c | 1 - > include/linux/ima.h | 94 ------------------------------- > security/integrity/iint.c | 7 ++- > security/integrity/ima/ima.h | 6 ++ > security/integrity/ima/ima_main.c | 63 ++++++++++++++------- > security/integrity/integrity.h | 9 +++ > security/keys/key.c | 9 +-- > security/security.c | 53 +++-------------- > 11 files changed, 72 insertions(+), 186 deletions(-) > > diff --git a/fs/file_table.c b/fs/file_table.c > index 964e24120684..7b9c756a42df 100644 > --- a/fs/file_table.c > +++ b/fs/file_table.c > @@ -26,7 +26,6 @@ > #include <linux/percpu_counter.h> > #include <linux/percpu.h> > #include <linux/task_work.h> > -#include <linux/ima.h> > #include <linux/swap.h> > #include <linux/kmemleak.h> > > @@ -376,7 +375,6 @@ static void __fput(struct file *file) > locks_remove_file(file); > > security_file_pre_free(file); > - ima_file_free(file); > if (unlikely(file->f_flags & FASYNC)) { > if (file->f_op->fasync) > file->f_op->fasync(-1, file, 0); > diff --git a/fs/namei.c b/fs/namei.c > index efed0e1e93f5..a200021209c3 100644 > --- a/fs/namei.c > +++ b/fs/namei.c > @@ -27,7 +27,6 @@ > #include <linux/fsnotify.h> > #include <linux/personality.h> > #include <linux/security.h> > -#include <linux/ima.h> > #include <linux/syscalls.h> > #include <linux/mount.h> > #include <linux/audit.h> > @@ -3636,8 +3635,6 @@ static int do_open(struct nameidata *nd, > error = vfs_open(&nd->path, file); > if (!error) > error = security_file_post_open(file, op->acc_mode); > - if (!error) > - error = ima_file_check(file, op->acc_mode); > if (!error && do_truncate) > error = handle_truncate(idmap, file); > if (unlikely(error > 0)) { > @@ -3701,7 +3698,6 @@ static int vfs_tmpfile(struct mnt_idmap *idmap, > spin_unlock(&inode->i_lock); > } > security_inode_post_create_tmpfile(idmap, dir, file, mode); > - ima_post_create_tmpfile(idmap, dir, file, mode); > return 0; > } > > @@ -4049,9 +4045,6 @@ static int do_mknodat(int dfd, struct filename *name, umode_t mode, > case 0: case S_IFREG: > error = vfs_create(idmap, path.dentry->d_inode, > dentry, mode, true); > - if (!error) > - ima_post_path_mknod(idmap, &path, dentry, > - mode_stripped, dev); > break; > case S_IFCHR: case S_IFBLK: > error = vfs_mknod(idmap, path.dentry->d_inode, > diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c > index 3450bb1c8a18..94bbd7ac8b68 100644 > --- a/fs/nfsd/vfs.c > +++ b/fs/nfsd/vfs.c > @@ -25,7 +25,6 @@ > #include <linux/posix_acl_xattr.h> > #include <linux/xattr.h> > #include <linux/jhash.h> > -#include <linux/ima.h> > #include <linux/pagemap.h> > #include <linux/slab.h> > #include <linux/uaccess.h> > @@ -868,12 +867,6 @@ __nfsd_open(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type, > goto out_nfserr; > } > > - host_err = ima_file_check(file, may_flags); > - if (host_err) { > - fput(file); > - goto out_nfserr; > - } > - > if (may_flags & NFSD_MAY_64BIT_COOKIE) > file->f_mode |= FMODE_64BITHASH; > else > diff --git a/fs/open.c b/fs/open.c > index 0c55c8e7f837..6825ac1d07a9 100644 > --- a/fs/open.c > +++ b/fs/open.c > @@ -29,7 +29,6 @@ > #include <linux/audit.h> > #include <linux/falloc.h> > #include <linux/fs_struct.h> > -#include <linux/ima.h> > #include <linux/dnotify.h> > #include <linux/compat.h> > #include <linux/mnt_idmapping.h> > diff --git a/include/linux/ima.h b/include/linux/ima.h > index 6e4d060ff378..58591b5cbdb4 100644 > --- a/include/linux/ima.h > +++ b/include/linux/ima.h > @@ -16,26 +16,7 @@ struct linux_binprm; > > #ifdef CONFIG_IMA > extern enum hash_algo ima_get_current_hash_algo(void); > -extern int ima_bprm_check(struct linux_binprm *bprm); > extern int ima_file_check(struct file *file, int mask); > -extern void ima_post_create_tmpfile(struct mnt_idmap *idmap, > - struct inode *dir, struct file *file, > - umode_t mode); > -extern void ima_file_free(struct file *file); > -extern int ima_file_mmap(struct file *file, unsigned long reqprot, > - unsigned long prot, unsigned long flags); > -int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, > - unsigned long prot); > -extern int ima_load_data(enum kernel_load_data_id id, bool contents); > -extern int ima_post_load_data(char *buf, loff_t size, > - enum kernel_load_data_id id, char *description); > -extern int ima_read_file(struct file *file, enum kernel_read_file_id id, > - bool contents); > -int ima_post_read_file(struct file *file, char *buf, loff_t size, > - enum kernel_read_file_id id); > -extern void ima_post_path_mknod(struct mnt_idmap *idmap, > - const struct path *dir, struct dentry *dentry, > - umode_t mode, unsigned int dev); > extern int ima_file_hash(struct file *file, char *buf, size_t buf_size); > extern int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size); > extern void ima_kexec_cmdline(int kernel_fd, const void *buf, int size); > @@ -60,72 +41,11 @@ static inline enum hash_algo ima_get_current_hash_algo(void) > return HASH_ALGO__LAST; > } > > -static inline int ima_bprm_check(struct linux_binprm *bprm) > -{ > - return 0; > -} > - > static inline int ima_file_check(struct file *file, int mask) > { > return 0; > } > > -static inline void ima_post_create_tmpfile(struct mnt_idmap *idmap, > - struct inode *dir, > - struct file *file, > - umode_t mode) > -{ > -} > - > -static inline void ima_file_free(struct file *file) > -{ > - return; > -} > - > -static inline int ima_file_mmap(struct file *file, unsigned long reqprot, > - unsigned long prot, unsigned long flags) > -{ > - return 0; > -} > - > -static inline int ima_file_mprotect(struct vm_area_struct *vma, > - unsigned long reqprot, unsigned long prot) > -{ > - return 0; > -} > - > -static inline int ima_load_data(enum kernel_load_data_id id, bool contents) > -{ > - return 0; > -} > - > -static inline int ima_post_load_data(char *buf, loff_t size, > - enum kernel_load_data_id id, > - char *description) > -{ > - return 0; > -} > - > -static inline int ima_read_file(struct file *file, enum kernel_read_file_id id, > - bool contents) > -{ > - return 0; > -} > - > -static inline int ima_post_read_file(struct file *file, char *buf, loff_t size, > - enum kernel_read_file_id id) > -{ > - return 0; > -} > - > -static inline void ima_post_path_mknod(struct mnt_idmap *idmap, > - const struct path *dir, > - struct dentry *dentry, > - umode_t mode, unsigned int dev) > -{ > - return; > -} > - > static inline int ima_file_hash(struct file *file, char *buf, size_t buf_size) > { > return -EOPNOTSUPP; > @@ -176,20 +96,6 @@ static inline void ima_add_kexec_buffer(struct kimage *image) > {} > #endif > > -#ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS > -extern void ima_post_key_create_or_update(struct key *keyring, > - struct key *key, > - const void *payload, size_t plen, > - unsigned long flags, bool create); > -#else > -static inline void ima_post_key_create_or_update(struct key *keyring, > - struct key *key, > - const void *payload, > - size_t plen, > - unsigned long flags, > - bool create) {} > -#endif /* CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS */ > - > #ifdef CONFIG_IMA_APPRAISE > extern bool is_ima_appraise_enabled(void); > extern void ima_inode_post_setattr(struct mnt_idmap *idmap, > diff --git a/security/integrity/iint.c b/security/integrity/iint.c > index a462df827de2..32f0f3c5c4dd 100644 > --- a/security/integrity/iint.c > +++ b/security/integrity/iint.c > @@ -167,20 +167,21 @@ static void init_once(void *foo) > mutex_init(&iint->mutex); > } > > -static int __init integrity_iintcache_init(void) > +static int __init integrity_lsm_init(void) > { > iint_cache = > kmem_cache_create("iint_cache", sizeof(struct integrity_iint_cache), > 0, SLAB_PANIC, init_once); > + > + init_ima_lsm(); > return 0; > } > DEFINE_LSM(integrity) = { > .name = "integrity", > - .init = integrity_iintcache_init, > + .init = integrity_lsm_init, > .order = LSM_ORDER_LAST, > }; > > - > /* > * integrity_kernel_read - read data from the file > * > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index c29db699c996..c0412100023e 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -127,6 +127,12 @@ void ima_load_kexec_buffer(void); > static inline void ima_load_kexec_buffer(void) {} > #endif /* CONFIG_HAVE_IMA_KEXEC */ > > +#ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS > +void ima_post_key_create_or_update(struct key *keyring, struct key *key, > + const void *payload, size_t plen, > + unsigned long flags, bool create); > +#endif > + > /* > * The default binary_runtime_measurements list format is defined as the > * platform native format. The canonical format is defined as little-endian. > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index f8581032e62c..0e4f882fcdce 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -188,7 +188,7 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint, > * > * Flag files that changed, based on i_version > */ > -void ima_file_free(struct file *file) > +static void ima_file_free(struct file *file) > { > struct inode *inode = file_inode(file); > struct integrity_iint_cache *iint; > @@ -413,8 +413,8 @@ static int process_measurement(struct file *file, const struct cred *cred, > * On success return 0. On integrity appraisal error, assuming the file > * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. > */ > -int ima_file_mmap(struct file *file, unsigned long reqprot, > - unsigned long prot, unsigned long flags) > +static int ima_file_mmap(struct file *file, unsigned long reqprot, > + unsigned long prot, unsigned long flags) > { > u32 secid; > int ret; > @@ -452,8 +452,8 @@ int ima_file_mmap(struct file *file, unsigned long reqprot, > * > * On mprotect change success, return 0. On failure, return -EACESS. > */ > -int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, > - unsigned long prot) > +static int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, > + unsigned long prot) > { > struct ima_template_desc *template = NULL; > struct file *file; > @@ -511,7 +511,7 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, > * On success return 0. On integrity appraisal error, assuming the file > * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. > */ > -int ima_bprm_check(struct linux_binprm *bprm) > +static int ima_bprm_check(struct linux_binprm *bprm) > { > int ret; > u32 secid; > @@ -673,9 +673,8 @@ EXPORT_SYMBOL_GPL(ima_inode_hash); > * Skip calling process_measurement(), but indicate which newly, created > * tmpfiles are in policy. > */ > -void ima_post_create_tmpfile(struct mnt_idmap *idmap, > - struct inode *dir, struct file *file, > - umode_t mode) > +static void ima_post_create_tmpfile(struct mnt_idmap *idmap, struct inode *dir, > + struct file *file, umode_t mode) > { > struct integrity_iint_cache *iint; > struct inode *inode = file_inode(file); > @@ -710,9 +709,9 @@ void ima_post_create_tmpfile(struct mnt_idmap *idmap, > * Mark files created via the mknodat syscall as new, so that the > * file data can be written later. > */ > -void ima_post_path_mknod(struct mnt_idmap *idmap, > - const struct path *dir, struct dentry *dentry, > - umode_t mode, unsigned int dev) > +static void __maybe_unused > +ima_post_path_mknod(struct mnt_idmap *idmap, const struct path *dir, > + struct dentry *dentry, umode_t mode, unsigned int dev) > { > struct integrity_iint_cache *iint; > struct inode *inode = dentry->d_inode; > @@ -751,8 +750,8 @@ void ima_post_path_mknod(struct mnt_idmap *idmap, > * > * For permission return 0, otherwise return -EACCES. > */ > -int ima_read_file(struct file *file, enum kernel_read_file_id read_id, > - bool contents) > +static int ima_read_file(struct file *file, enum kernel_read_file_id read_id, > + bool contents) > { > enum ima_hooks func; > u32 secid; > @@ -801,8 +800,8 @@ const int read_idmap[READING_MAX_ID] = { > * On success return 0. On integrity appraisal error, assuming the file > * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. > */ > -int ima_post_read_file(struct file *file, char *buf, loff_t size, > - enum kernel_read_file_id read_id) > +static int ima_post_read_file(struct file *file, char *buf, loff_t size, > + enum kernel_read_file_id read_id) > { > enum ima_hooks func; > u32 secid; > @@ -835,7 +834,7 @@ int ima_post_read_file(struct file *file, char *buf, loff_t size, > * > * For permission return 0, otherwise return -EACCES. > */ > -int ima_load_data(enum kernel_load_data_id id, bool contents) > +static int ima_load_data(enum kernel_load_data_id id, bool contents) > { > bool ima_enforce, sig_enforce; > > @@ -889,9 +888,9 @@ int ima_load_data(enum kernel_load_data_id id, bool contents) > * On success return 0. On integrity appraisal error, assuming the file > * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. > */ > -int ima_post_load_data(char *buf, loff_t size, > - enum kernel_load_data_id load_id, > - char *description) > +static int ima_post_load_data(char *buf, loff_t size, > + enum kernel_load_data_id load_id, > + char *description) > { > if (load_id == LOADING_FIRMWARE) { > if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && > @@ -1120,4 +1119,28 @@ static int __init init_ima(void) > return error; > } > > +static struct security_hook_list ima_hooks[] __ro_after_init = { > + LSM_HOOK_INIT(bprm_check_security, ima_bprm_check), > + LSM_HOOK_INIT(file_post_open, ima_file_check), > + LSM_HOOK_INIT(inode_post_create_tmpfile, ima_post_create_tmpfile), > + LSM_HOOK_INIT(file_pre_free_security, ima_file_free), > + LSM_HOOK_INIT(mmap_file, ima_file_mmap), > + LSM_HOOK_INIT(file_mprotect, ima_file_mprotect), > + LSM_HOOK_INIT(kernel_load_data, ima_load_data), > + LSM_HOOK_INIT(kernel_post_load_data, ima_post_load_data), > + LSM_HOOK_INIT(kernel_read_file, ima_read_file), > + LSM_HOOK_INIT(kernel_post_read_file, ima_post_read_file), > +#ifdef CONFIG_SECURITY_PATH > + LSM_HOOK_INIT(path_post_mknod, ima_post_path_mknod), > +#endif > +#ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS > + LSM_HOOK_INIT(key_post_create_or_update, ima_post_key_create_or_update), > +#endif > +}; > + > +void __init init_ima_lsm(void) > +{ > + security_add_hooks(ima_hooks, ARRAY_SIZE(ima_hooks), "integrity"); > +} > + > late_initcall(init_ima); /* Start IMA after the TPM is available */ > diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h > index 7167a6e99bdc..7adc7d6c4f9f 100644 > --- a/security/integrity/integrity.h > +++ b/security/integrity/integrity.h > @@ -18,6 +18,7 @@ > #include <crypto/hash.h> > #include <linux/key.h> > #include <linux/audit.h> > +#include <linux/lsm_hooks.h> > > /* iint action cache flags */ > #define IMA_MEASURE 0x00000001 > @@ -191,6 +192,14 @@ extern struct dentry *integrity_dir; > > struct modsig; > > +#ifdef CONFIG_IMA > +void __init init_ima_lsm(void); > +#else > +static inline void __init init_ima_lsm(void) > +{ > +} > +#endif > + > #ifdef CONFIG_INTEGRITY_SIGNATURE > > int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, > diff --git a/security/keys/key.c b/security/keys/key.c > index 0f9c6faf3491..2acf9fa80735 100644 > --- a/security/keys/key.c > +++ b/security/keys/key.c > @@ -13,7 +13,6 @@ > #include <linux/security.h> > #include <linux/workqueue.h> > #include <linux/random.h> > -#include <linux/ima.h> > #include <linux/err.h> > #include "internal.h" > > @@ -936,8 +935,6 @@ static key_ref_t __key_create_or_update(key_ref_t keyring_ref, > > security_key_post_create_or_update(keyring, key, payload, plen, flags, > true); > - ima_post_key_create_or_update(keyring, key, payload, plen, > - flags, true); > > key_ref = make_key_ref(key, is_key_possessed(keyring_ref)); > > @@ -969,13 +966,9 @@ static key_ref_t __key_create_or_update(key_ref_t keyring_ref, > > key_ref = __key_update(key_ref, &prep); > > - if (!IS_ERR(key_ref)) { > + if (!IS_ERR(key_ref)) > security_key_post_create_or_update(keyring, key, payload, plen, > flags, false); > - ima_post_key_create_or_update(keyring, key, > - payload, plen, > - flags, false); > - } > > goto error_free_prep; > } > diff --git a/security/security.c b/security/security.c > index e6783c2f0c65..8c5b8ffeef92 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -1098,12 +1098,7 @@ int security_bprm_creds_from_file(struct linux_binprm *bprm, struct file *file) > */ > int security_bprm_check(struct linux_binprm *bprm) > { > - int ret; > - > - ret = call_int_hook(bprm_check_security, 0, bprm); > - if (ret) > - return ret; > - return ima_bprm_check(bprm); > + return call_int_hook(bprm_check_security, 0, bprm); > } > > /** > @@ -2793,13 +2788,8 @@ static inline unsigned long mmap_prot(struct file *file, unsigned long prot) > int security_mmap_file(struct file *file, unsigned long prot, > unsigned long flags) > { > - unsigned long prot_adj = mmap_prot(file, prot); > - int ret; > - > - ret = call_int_hook(mmap_file, 0, file, prot, prot_adj, flags); > - if (ret) > - return ret; > - return ima_file_mmap(file, prot, prot_adj, flags); > + return call_int_hook(mmap_file, 0, file, prot, mmap_prot(file, prot), > + flags); > } > > /** > @@ -2828,12 +2818,7 @@ int security_mmap_addr(unsigned long addr) > int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, > unsigned long prot) > { > - int ret; > - > - ret = call_int_hook(file_mprotect, 0, vma, reqprot, prot); > - if (ret) > - return ret; > - return ima_file_mprotect(vma, reqprot, prot); > + return call_int_hook(file_mprotect, 0, vma, reqprot, prot); > } > > /** > @@ -3163,12 +3148,7 @@ int security_kernel_module_request(char *kmod_name) > int security_kernel_read_file(struct file *file, enum kernel_read_file_id id, > bool contents) > { > - int ret; > - > - ret = call_int_hook(kernel_read_file, 0, file, id, contents); > - if (ret) > - return ret; > - return ima_read_file(file, id, contents); > + return call_int_hook(kernel_read_file, 0, file, id, contents); > } > EXPORT_SYMBOL_GPL(security_kernel_read_file); > > @@ -3188,12 +3168,7 @@ EXPORT_SYMBOL_GPL(security_kernel_read_file); > int security_kernel_post_read_file(struct file *file, char *buf, loff_t size, > enum kernel_read_file_id id) > { > - int ret; > - > - ret = call_int_hook(kernel_post_read_file, 0, file, buf, size, id); > - if (ret) > - return ret; > - return ima_post_read_file(file, buf, size, id); > + return call_int_hook(kernel_post_read_file, 0, file, buf, size, id); > } > EXPORT_SYMBOL_GPL(security_kernel_post_read_file); > > @@ -3208,12 +3183,7 @@ EXPORT_SYMBOL_GPL(security_kernel_post_read_file); > */ > int security_kernel_load_data(enum kernel_load_data_id id, bool contents) > { > - int ret; > - > - ret = call_int_hook(kernel_load_data, 0, id, contents); > - if (ret) > - return ret; > - return ima_load_data(id, contents); > + return call_int_hook(kernel_load_data, 0, id, contents); > } > EXPORT_SYMBOL_GPL(security_kernel_load_data); > > @@ -3235,13 +3205,8 @@ int security_kernel_post_load_data(char *buf, loff_t size, > enum kernel_load_data_id id, > char *description) > { > - int ret; > - > - ret = call_int_hook(kernel_post_load_data, 0, buf, size, id, > - description); > - if (ret) > - return ret; > - return ima_post_load_data(buf, size, id, description); > + return call_int_hook(kernel_post_load_data, 0, buf, size, id, > + description); > } > EXPORT_SYMBOL_GPL(security_kernel_post_load_data); > > -- > 2.34.1 > -- Chuck Lever