On Wed, 2023-12-06 at 14:10 +0100, Roberto Sassu wrote: > On Mon, 2023-12-04 at 14:26 +0100, Roberto Sassu wrote: ... > > If the result of this patch set should be that IMA and EVM become > > proper LSMs without the shared integrity layer, instead of collapsing > > all changes in this patch set, I think we should first verify if IMA > > and EVM can be really independent. Once we guarantee that, we can > > proceed making the proper LSMs. > > > > These are the changes I have in mind: > > > > 1) Fix evm_verifyxattr(), and make it work without integrity_iint_cache > > 2) Remove the integrity_iint_cache parameter from evm_verifyxattr(), > > since the other callers are not going to use it > > Ehm, I checked better. > > integrity_inode_get() is public too (although it is not exported). So, > a caller (not IMA) could do: > > iint = integrity_inode_get(inode); > status = evm_verifyxattr(..., iint); > > However, it should not call integrity_inode_free(), which is also in > include/linux/integrity.h, since this is going to be called by > security_inode_free() (currently). Calling integrity_inode_free() directly would release the iint early. As a result, IMA would then need to re-allocate it on next access. Other than impacting IMA's performance, is this a problem? > > 3) Create an internal function with the original parameters to be used > > by IMA > > 4) Introduce evm_post_path_mknod(), which similarly to > > ima_post_path_mknod(), sets IMA_NEW_FILE for new files > > I just realized that also this is changing the current behavior. > > IMA would clear IMA_NEW_FILE in ima_check_last_writer(), while EVM > wouldn't (unless we implement the file_release hook in EVM too). True Mimi > > 5) Add hardcoded call to evm_post_path_mknod() after > > ima_post_path_mknod() in security.c > > > > If we think that this is good enough, we proceed with the move of IMA > > and EVM functions to the LSM infrastructure (patches v7 19-21). > > > > The next patches are going to be similar to patches v6 22-23, but > > unlike those, their goal would be simply to split metadata, not to make > > IMA and EVM independent, which at this point has been addressed > > separately in the prerequisite patches. > > > > The final patch is to remove the 'integrity' LSM and the integrity > > metadata management code, which now is not used anymore. > > > > Would that work? > > We are not making much progress, I'm going to follow any recommendation > that would move this forward.
