On Thu, 2023-12-14 at 18:08 +0100, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu@xxxxxxxxxx> > > Define a new structure for EVM-specific metadata, called evm_iint_cache, > and embed it in the inode security blob. Introduce evm_iint_inode() to > retrieve metadata, and register evm_inode_alloc_security() for the > inode_alloc_security LSM hook, to initialize the structure (before > splitting metadata, this task was done by iint_init_always()). > > Keep the non-NULL checks after calling evm_iint_inode() except in > evm_inode_alloc_security(), to take into account inodes for which > security_inode_alloc() was not called. When using shared metadata, > obtaining a NULL pointer from integrity_iint_find() meant that the file > wasn't processed by IMA. ^wasn't in policy. Ok. So now regardless of the IMA policy, EVM always allocates and stores the EVM status. Depending on the IMA policy, the EVM status could be saved for a lot more inodes. > > Given that from now on EVM relies on its own metadata, remove the iint > parameter from evm_verifyxattr(). Also, directly retrieve the iint in > evm_verify_hmac(), called by both evm_verifyxattr() and > evm_verify_current_integrity(), since now there is no performance penalty > in retrieving EVM metadata (constant time). Ok. So the change only negatively impacts memory usage, not performance. > > Replicate the management of the IMA_NEW_FILE flag (now EVM_NEW_FILE), by > introducing evm_post_path_mknod() and evm_file_free() to respectively set > and clear the new flag at the same time IMA does. nit: Instead of "(now EVM_NEW_FILE)", add an additional sentence, saying "Define EVM_NEW_FILE". > A noteworthy difference > is that evm_post_path_mknod() cannot check if a file must be appraised. This is the result of making EVM independent of IMA's policy. Somewhere, here or above, this needs to be stated. > Also, since IMA_NEW_FILE is always cleared in ima_check_last_writer() if it > is set, it is not necessary to maintain an inode version in EVM to > replicate the IMA logic (the inode version check is in OR). IMA checking the i_version is to prevent unnecessarily having to re- calculate the file data hash, which depending on the file size could take a while. This is unnecessary for EVM, as re-calculating the EVM hmac is triggered anytime a trusted xattr is updated. So only the EVM new file flag needs to cleared on file free. > Also, move the EVM-specific flag EVM_IMMUTABLE_DIGSIG to > security/integrity/evm/evm.h, since that definition is now unnecessary in > the common integrity layer. > > Finally, switch to the LSM reservation mechanism for the EVM xattr, and > consequently decrement by one the number of xattrs to allocate in > security_inode_init_security(). > > Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> -- thanks, Mimi
