Re: [PATCH 0/9] integrity: Move hooks into LSM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



There is a complementary patch series that didn't received review: https://lore.kernel.org/all/20210427113732.471066-1-roberto.sassu@xxxxxxxxxx/

On 14/10/2022 00:36, Kees Cook wrote:
Hi,

It's been over 4 years since LSM stack was introduced. The integrity
subsystem is long overdue for moving to this infrastructure. Here's my
first pass at converting integrity and ima (and some of evm) into LSM
hooks. This should be enough of an example to finish evm, and introduce
the missing hooks for both. For example, after this, it looks like ima
only has a couple places it's still doing things outside of the LSM. At
least these stood out:

fs/namei.c:     ima_post_create_tmpfile(mnt_userns, inode);
fs/namei.c:                             ima_post_path_mknod(mnt_userns, dentry);

Mimi, can you please take this series and finish the conversion for
what's missing in ima and evm?

I would also call attention to "175 insertions(+), 240 deletions(-)" --
as expected, this is a net reduction in code.

Thanks!

-Kees

Kees Cook (9):
   integrity: Prepare for having "ima" and "evm" available in "integrity"
     LSM
   security: Move trivial IMA hooks into LSM
   ima: Move xattr hooks into LSM
   ima: Move ima_file_free() into LSM
   LSM: Introduce inode_post_setattr hook
   fs: Introduce file_to_perms() helper
   ima: Move ima_file_check() into LSM
   integrity: Move trivial hooks into LSM
   integrity: Move integrity_inode_get() out of global header

  fs/attr.c                             |  3 +-
  fs/file_table.c                       |  1 -
  fs/namei.c                            |  2 -
  fs/nfsd/vfs.c                         |  6 --
  include/linux/evm.h                   |  6 --
  include/linux/fs.h                    | 22 +++++++
  include/linux/ima.h                   | 87 ---------------------------
  include/linux/integrity.h             | 30 +--------
  include/linux/lsm_hook_defs.h         |  3 +
  security/Kconfig                      | 10 +--
  security/apparmor/include/file.h      | 18 ++----
  security/integrity/evm/evm_main.c     | 14 ++++-
  security/integrity/iint.c             | 28 +++++++--
  security/integrity/ima/ima.h          | 12 ++++
  security/integrity/ima/ima_appraise.c | 21 +++++--
  security/integrity/ima/ima_main.c     | 66 ++++++++++++++------
  security/integrity/integrity.h        |  8 +++
  security/security.c                   | 78 ++++++------------------
  18 files changed, 175 insertions(+), 240 deletions(-)




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux