Hi,
It's been over 4 years since LSM stack was introduced. The integrity
subsystem is long overdue for moving to this infrastructure. Here's my
first pass at converting integrity and ima (and some of evm) into LSM
hooks. This should be enough of an example to finish evm, and introduce
the missing hooks for both. For example, after this, it looks like ima
only has a couple places it's still doing things outside of the LSM. At
least these stood out:
fs/namei.c: ima_post_create_tmpfile(mnt_userns, inode);
fs/namei.c: ima_post_path_mknod(mnt_userns, dentry);
Mimi, can you please take this series and finish the conversion for
what's missing in ima and evm?
I would also call attention to "175 insertions(+), 240 deletions(-)" --
as expected, this is a net reduction in code.
Thanks!
-Kees
Kees Cook (9):
integrity: Prepare for having "ima" and "evm" available in "integrity"
LSM
security: Move trivial IMA hooks into LSM
ima: Move xattr hooks into LSM
ima: Move ima_file_free() into LSM
LSM: Introduce inode_post_setattr hook
fs: Introduce file_to_perms() helper
ima: Move ima_file_check() into LSM
integrity: Move trivial hooks into LSM
integrity: Move integrity_inode_get() out of global header
fs/attr.c | 3 +-
fs/file_table.c | 1 -
fs/namei.c | 2 -
fs/nfsd/vfs.c | 6 --
include/linux/evm.h | 6 --
include/linux/fs.h | 22 +++++++
include/linux/ima.h | 87 ---------------------------
include/linux/integrity.h | 30 +--------
include/linux/lsm_hook_defs.h | 3 +
security/Kconfig | 10 +--
security/apparmor/include/file.h | 18 ++----
security/integrity/evm/evm_main.c | 14 ++++-
security/integrity/iint.c | 28 +++++++--
security/integrity/ima/ima.h | 12 ++++
security/integrity/ima/ima_appraise.c | 21 +++++--
security/integrity/ima/ima_main.c | 66 ++++++++++++++------
security/integrity/integrity.h | 8 +++
security/security.c | 78 ++++++------------------
18 files changed, 175 insertions(+), 240 deletions(-)
--
2.34.1
