Re: [PATCH 1/9] integrity: Prepare for having "ima" and "evm" available in "integrity" LSM

From: Mimi Zohar
Date: Wed Oct 19 2022 - 15:14:11 EST


On Wed, 2022-10-19 at 11:33 -0700, Kees Cook wrote:
> On Mon, Oct 17, 2022 at 11:26:44AM +0200, Mickaël Salaün wrote:
> >
> > On 14/10/2022 19:59, Kees Cook wrote:
> > > On Fri, Oct 14, 2022 at 04:40:01PM +0200, Mickaël Salaün wrote:
> > > > This is not backward compatible
> > >
> > > Why? Nothing will be running LSM hooks until init finishes, at which
> > > point the integrity inode cache will be allocated. And ima and evm don't
> > > start up until lateinit.
> > >
> > > > , but can easily be fixed thanks to
> > > > DEFINE_LSM().order
> > >
> > > That forces the LSM to be enabled, which may not be desired?
> >
> > This is not backward compatible because currently IMA is enabled
> > independently of the "lsm=" cmdline, which means that for all installed
> > systems using IMA and also with a custom "lsm=" cmdline, updating the kernel
> > with this patch will (silently) disable IMA. Using ".order =
> > LSM_ORDER_FIRST," should keep this behavior.
>
> This isn't true. If "integrity" is removed from the lsm= line today, IMA
> will immediately panic:
>
> process_measurement():
> integrity_inode_get():
> if (!iint_cache)
> panic("%s: lsm=integrity required.\n", __func__);
>
> and before v5.12 (where the panic was added), it would immediately NULL
> deref. (And it took 3 years to even notice.)

Most people were/are still using the "security=" boot command line
option, not "lsm=". This previously wasn't a problem with "security=",
but became a problem with "lsm=". I should have been aware of the
change from "security=" to "lsm=", but unfortunately wasn't. It took
me totally by surprise. All of sudden "integrity" went from being a
common IMA/EVM resource to an LSM. The correct solution would have
been to move it a different initcall. (It's not too late to fix it.)

--
thanks,

Mimi