[PATCH v6 23/25] evm: Remove dependency on 'integrity' LSM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>

Similarly to IMA, introduce EVM own integrity metadata (evm_iint_cache,
with EVM-specific fields from integrity_iint_cache), and reserve them from
the 'evm' LSM.

First, replace the integrity_iint_cache structure with evm_iint_cache in
various places of the EVM code.

Then, reserve space in the security blob for the evm_iint_cache structure,
so that retrieval always succeeds. Replace integrity_inode_get() and
integrity_iint_find() with evm_inode_get_iint(), to retrieve the
evm_iint_cache structure.

Initialize the new evm_iint_cache structure by registering
evm_inode_alloc_security() as implementation of the inode_alloc_security
LSM hook.

Since now IMA and EVM integrity metadata are disjoint, and always
available, remove the iint parameter from evm_verifyxattr() and always
retrieve the evm_iint_cache structure in evm_verify_hmac(), called by
evm_verifyxattr() and evm_verify_current_integrity().

Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
---
 include/linux/evm.h                   |  8 +---
 security/integrity/evm/evm.h          | 17 ++++++++
 security/integrity/evm/evm_crypto.c   |  5 +--
 security/integrity/evm/evm_main.c     | 63 ++++++++++++++-------------
 security/integrity/ima/ima_appraise.c |  2 +-
 5 files changed, 54 insertions(+), 41 deletions(-)

diff --git a/include/linux/evm.h b/include/linux/evm.h
index cb481eccc967..d48d6da32315 100644
--- a/include/linux/evm.h
+++ b/include/linux/evm.h
@@ -12,15 +12,12 @@
 #include <linux/integrity.h>
 #include <linux/xattr.h>
 
-struct integrity_iint_cache;
-
 #ifdef CONFIG_EVM
 extern int evm_set_key(void *key, size_t keylen);
 extern enum integrity_status evm_verifyxattr(struct dentry *dentry,
 					     const char *xattr_name,
 					     void *xattr_value,
-					     size_t xattr_value_len,
-					     struct integrity_iint_cache *iint);
+					     size_t xattr_value_len);
 int evm_inode_init_security(struct inode *inode, struct inode *dir,
 			    const struct qstr *qstr, struct xattr *xattrs,
 			    int *xattr_count);
@@ -48,8 +45,7 @@ static inline int evm_set_key(void *key, size_t keylen)
 static inline enum integrity_status evm_verifyxattr(struct dentry *dentry,
 						    const char *xattr_name,
 						    void *xattr_value,
-						    size_t xattr_value_len,
-					struct integrity_iint_cache *iint)
+						    size_t xattr_value_len)
 {
 	return INTEGRITY_UNKNOWN;
 }
diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
index 53bd7fec93fa..478b6fbca699 100644
--- a/security/integrity/evm/evm.h
+++ b/security/integrity/evm/evm.h
@@ -32,6 +32,23 @@ struct xattr_list {
 	bool enabled;
 };
 
+/* EVM integrity metadata associated with an inode */
+struct evm_iint_cache {
+	unsigned long flags;
+	enum integrity_status evm_status:4;
+};
+
+extern struct lsm_blob_sizes evm_blob_sizes;
+
+static inline struct evm_iint_cache *
+evm_inode_get_iint(const struct inode *inode)
+{
+	struct evm_iint_cache *evm_iint_sec;
+
+	evm_iint_sec = inode->i_security + evm_blob_sizes.lbs_inode;
+	return evm_iint_sec;
+}
+
 extern int evm_initialized;
 
 #define EVM_ATTR_FSUUID		0x0001
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index b1ffd4cc0b44..c69422cc4a52 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -322,11 +322,10 @@ int evm_calc_hash(struct dentry *dentry, const char *req_xattr_name,
 static int evm_is_immutable(struct dentry *dentry, struct inode *inode)
 {
 	const struct evm_ima_xattr_data *xattr_data = NULL;
-	struct integrity_iint_cache *iint;
+	struct evm_iint_cache *iint = evm_inode_get_iint(inode);
 	int rc = 0;
 
-	iint = integrity_iint_find(inode);
-	if (iint && (iint->flags & EVM_IMMUTABLE_DIGSIG))
+	if (iint->flags & EVM_IMMUTABLE_DIGSIG)
 		return 1;
 
 	/* Do this the hard way */
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 1e59a985b845..5aa5207a75e1 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -167,18 +167,20 @@ static int evm_find_protected_xattrs(struct dentry *dentry)
 static enum integrity_status evm_verify_hmac(struct dentry *dentry,
 					     const char *xattr_name,
 					     char *xattr_value,
-					     size_t xattr_value_len,
-					     struct integrity_iint_cache *iint)
+					     size_t xattr_value_len)
 {
 	struct evm_ima_xattr_data *xattr_data = NULL;
 	struct signature_v2_hdr *hdr;
 	enum integrity_status evm_status = INTEGRITY_PASS;
 	struct evm_digest digest;
 	struct inode *inode;
+	struct evm_iint_cache *iint;
 	int rc, xattr_len, evm_immutable = 0;
 
-	if (iint && (iint->evm_status == INTEGRITY_PASS ||
-		     iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
+	iint = evm_inode_get_iint(d_backing_inode(dentry));
+
+	if ((iint->evm_status == INTEGRITY_PASS ||
+	     iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
 		return iint->evm_status;
 
 	/* if status is not PASS, try to check again - against -ENOMEM */
@@ -243,8 +245,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
 			inode = d_backing_inode(dentry);
 
 			if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) {
-				if (iint)
-					iint->flags |= EVM_IMMUTABLE_DIGSIG;
+				iint->flags |= EVM_IMMUTABLE_DIGSIG;
 				evm_status = INTEGRITY_PASS_IMMUTABLE;
 			} else if (!IS_RDONLY(inode) &&
 				   !(inode->i_sb->s_readonly_remount) &&
@@ -271,8 +272,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
 	pr_debug("digest: (%d) [%*phN]\n", digest.hdr.length, digest.hdr.length,
 		  digest.digest);
 out:
-	if (iint)
-		iint->evm_status = evm_status;
+	iint->evm_status = evm_status;
 	kfree(xattr_data);
 	return evm_status;
 }
@@ -389,7 +389,6 @@ int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer,
  * @xattr_name: requested xattr
  * @xattr_value: requested xattr value
  * @xattr_value_len: requested xattr value length
- * @iint: inode integrity metadata
  *
  * Calculate the HMAC for the given dentry and verify it against the stored
  * security.evm xattr. For performance, use the xattr value and length
@@ -402,19 +401,13 @@ int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer,
  */
 enum integrity_status evm_verifyxattr(struct dentry *dentry,
 				      const char *xattr_name,
-				      void *xattr_value, size_t xattr_value_len,
-				      struct integrity_iint_cache *iint)
+				      void *xattr_value, size_t xattr_value_len)
 {
 	if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
 		return INTEGRITY_UNKNOWN;
 
-	if (!iint) {
-		iint = integrity_inode_get(d_backing_inode(dentry));
-		if (!iint)
-			return INTEGRITY_UNKNOWN;
-	}
 	return evm_verify_hmac(dentry, xattr_name, xattr_value,
-				 xattr_value_len, iint);
+				 xattr_value_len);
 }
 EXPORT_SYMBOL_GPL(evm_verifyxattr);
 
@@ -431,7 +424,7 @@ static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
 
 	if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode)
 		return INTEGRITY_PASS;
-	return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
+	return evm_verify_hmac(dentry, NULL, NULL, 0);
 }
 
 /*
@@ -503,14 +496,14 @@ static int evm_protect_xattr(struct mnt_idmap *idmap,
 
 	evm_status = evm_verify_current_integrity(dentry);
 	if (evm_status == INTEGRITY_NOXATTRS) {
-		struct integrity_iint_cache *iint;
+		struct evm_iint_cache *iint;
 
 		/* Exception if the HMAC is not going to be calculated. */
 		if (evm_hmac_disabled())
 			return 0;
 
-		iint = integrity_iint_find(d_backing_inode(dentry));
-		if (iint && (iint->flags & IMA_NEW_FILE))
+		iint = evm_inode_get_iint(d_backing_inode(dentry));
+		if ((iint->flags & IMA_NEW_FILE))
 			return 0;
 
 		/* exception for pseudo filesystems */
@@ -712,11 +705,9 @@ static int evm_inode_remove_acl(struct mnt_idmap *idmap, struct dentry *dentry,
 
 static void evm_reset_status(struct inode *inode)
 {
-	struct integrity_iint_cache *iint;
+	struct evm_iint_cache *iint = evm_inode_get_iint(inode);
 
-	iint = integrity_iint_find(inode);
-	if (iint)
-		iint->evm_status = INTEGRITY_UNKNOWN;
+	iint->evm_status = INTEGRITY_UNKNOWN;
 }
 
 /**
@@ -982,12 +973,11 @@ EXPORT_SYMBOL_GPL(evm_inode_init_security);
 static void __maybe_unused
 evm_post_path_mknod(struct mnt_idmap *idmap, struct dentry *dentry)
 {
-	struct integrity_iint_cache *iint;
+	struct evm_iint_cache *iint;
 
-	iint = integrity_inode_get(d_backing_inode(dentry));
-	if (iint)
-		/* needed for successful verification of empty files */
-		iint->flags |= IMA_NEW_FILE;
+	iint = evm_inode_get_iint(d_backing_inode(dentry));
+	/* needed for successful verification of empty files */
+	iint->flags |= IMA_NEW_FILE;
 }
 
 #ifdef CONFIG_EVM_LOAD_X509
@@ -1029,6 +1019,15 @@ static int __init init_evm(void)
 	return error;
 }
 
+static int evm_inode_alloc_security(struct inode *inode)
+{
+	struct evm_iint_cache *evm_iint = evm_inode_get_iint(inode);
+
+	evm_iint->flags = 0UL;
+	evm_iint->evm_status = INTEGRITY_UNKNOWN;
+	return 0;
+}
+
 static struct security_hook_list evm_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(inode_setattr, evm_inode_setattr),
 	LSM_HOOK_INIT(inode_post_setattr, evm_inode_post_setattr),
@@ -1041,6 +1040,7 @@ static struct security_hook_list evm_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(inode_removexattr, evm_inode_removexattr),
 	LSM_HOOK_INIT(inode_post_removexattr, evm_inode_post_removexattr),
 	LSM_HOOK_INIT(inode_init_security, evm_inode_init_security),
+	LSM_HOOK_INIT(inode_alloc_security, evm_inode_alloc_security),
 #ifdef CONFIG_SECURITY_PATH
 	LSM_HOOK_INIT(path_post_mknod, evm_post_path_mknod),
 #endif
@@ -1064,7 +1064,8 @@ int __init init_evm_lsm(void)
 	return 0;
 }
 
-static struct lsm_blob_sizes evm_blob_sizes __ro_after_init = {
+struct lsm_blob_sizes evm_blob_sizes __ro_after_init = {
+	.lbs_inode = sizeof(struct evm_iint_cache),
 	.lbs_xattr_count = 1,
 };
 
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index b0b96c263961..89125efb7e06 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -519,7 +519,7 @@ int ima_appraise_measurement(enum ima_hooks func,
 	}
 
 	status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value,
-				 rc < 0 ? 0 : rc, NULL);
+				 rc < 0 ? 0 : rc);
 	switch (status) {
 	case INTEGRITY_PASS:
 	case INTEGRITY_PASS_IMMUTABLE:
-- 
2.34.1




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux