[PATCH v7 22/23] integrity: Remove 'integrity' LSM and move integrity functions to 'ima' LSM

From: Roberto Sassu
Date: Thu Nov 30 2023 - 18:21:08 EST


From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>

Move the 'integrity' LSM tasks to the 'ima' LSM, and remove the former.

In particular, let 'ima' manage integrity metadata by reserving space in
the security blob for a pointer to the integrity_iint_cache structure, by
initializing the corresponding memory cache, and by registering
integrity_inode_free() for the inode_free_security LSM hook.

Also move the global declaration of integrity_inode_get() and
integrity_inode_free() to security/integrity/integrity.h, so that they can
be still called by IMA.

Finally, register integrity_kernel_module_request() in 'ima' for the
kernel_module_request LSM hook, since it is the one affected by the crypto
subsystem trying to load kernel modules, and remove the 'integrity' LSM.

Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
---
include/linux/integrity.h | 26 --------------------------
security/integrity/iint.c | 19 ++++++++++++-------
security/integrity/ima/ima_main.c | 5 +++++
security/integrity/integrity.h | 9 +++++++++
security/security.c | 9 +--------
5 files changed, 27 insertions(+), 41 deletions(-)

diff --git a/include/linux/integrity.h b/include/linux/integrity.h
index 2ea0f2f65ab6..afaae7ad26f4 100644
--- a/include/linux/integrity.h
+++ b/include/linux/integrity.h
@@ -21,38 +21,12 @@ enum integrity_status {

/* List of EVM protected security xattrs */
#ifdef CONFIG_INTEGRITY
-extern struct integrity_iint_cache *integrity_inode_get(struct inode *inode);
-extern void integrity_inode_free(struct inode *inode);
extern void __init integrity_load_keys(void);

#else
-static inline struct integrity_iint_cache *
- integrity_inode_get(struct inode *inode)
-{
- return NULL;
-}
-
-static inline void integrity_inode_free(struct inode *inode)
-{
- return;
-}
-
static inline void integrity_load_keys(void)
{
}
#endif /* CONFIG_INTEGRITY */

-#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
-
-extern int integrity_kernel_module_request(char *kmod_name);
-
-#else
-
-static inline int integrity_kernel_module_request(char *kmod_name)
-{
- return 0;
-}
-
-#endif /* CONFIG_INTEGRITY_ASYMMETRIC_KEYS */
-
#endif /* _LINUX_INTEGRITY_H */
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index d4419a2a1e24..c36054041b84 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -127,6 +127,13 @@ struct integrity_iint_cache *integrity_inode_get(struct inode *inode)
struct rb_node *node, *parent = NULL;
struct integrity_iint_cache *iint, *test_iint;

+ /*
+ * After removing the 'integrity' LSM, the 'ima' LSM calls
+ * integrity_iintcache_init() to initialize iint_cache.
+ */
+ if (!IS_ENABLED(CONFIG_IMA))
+ return NULL;
+
iint = integrity_iint_find(inode);
if (iint)
return iint;
@@ -193,19 +200,17 @@ static void iint_init_once(void *foo)
memset(iint, 0, sizeof(*iint));
}

-static int __init integrity_iintcache_init(void)
+/*
+ * Initialize the integrity metadata cache from IMA, since it is the only LSM
+ * that really needs it. EVM can work without it.
+ */
+int __init integrity_iintcache_init(void)
{
iint_cache =
kmem_cache_create("iint_cache", sizeof(struct integrity_iint_cache),
0, SLAB_PANIC, iint_init_once);
return 0;
}
-DEFINE_LSM(integrity) = {
- .name = "integrity",
- .init = integrity_iintcache_init,
- .order = LSM_ORDER_LAST,
-};
-

/*
* integrity_kernel_read - read data from the file
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 079f629bf369..3f59cce3fa02 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -1138,6 +1138,10 @@ static struct security_hook_list ima_hooks[] __ro_after_init = {
#endif
#ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS
LSM_HOOK_INIT(key_post_create_or_update, ima_post_key_create_or_update),
+#endif
+ LSM_HOOK_INIT(inode_free_security, integrity_inode_free),
+#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
+ LSM_HOOK_INIT(kernel_module_request, integrity_kernel_module_request),
#endif
};

@@ -1148,6 +1152,7 @@ static const struct lsm_id ima_lsmid = {

static int __init init_ima_lsm(void)
{
+ integrity_iintcache_init();
security_add_hooks(ima_hooks, ARRAY_SIZE(ima_hooks), &ima_lsmid);
init_ima_appraise_lsm(&ima_lsmid);
return 0;
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 59eaddd84434..26d3b08dca1c 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -180,6 +180,9 @@ struct integrity_iint_cache {
* integrity data associated with an inode.
*/
struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
+struct integrity_iint_cache *integrity_inode_get(struct inode *inode);
+void integrity_inode_free(struct inode *inode);
+int __init integrity_iintcache_init(void);

int integrity_kernel_read(struct file *file, loff_t offset,
void *addr, unsigned long count);
@@ -236,12 +239,18 @@ static inline int __init integrity_load_cert(const unsigned int id,
#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
int asymmetric_verify(struct key *keyring, const char *sig,
int siglen, const char *data, int datalen);
+int integrity_kernel_module_request(char *kmod_name);
#else
static inline int asymmetric_verify(struct key *keyring, const char *sig,
int siglen, const char *data, int datalen)
{
return -EOPNOTSUPP;
}
+
+static inline int integrity_kernel_module_request(char *kmod_name)
+{
+ return 0;
+}
#endif

#ifdef CONFIG_IMA_APPRAISE_MODSIG
diff --git a/security/security.c b/security/security.c
index 778043a626a6..351a124b771c 100644
--- a/security/security.c
+++ b/security/security.c
@@ -19,7 +19,6 @@
#include <linux/kernel.h>
#include <linux/kernel_read_file.h>
#include <linux/lsm_hooks.h>
-#include <linux/integrity.h>
#include <linux/fsnotify.h>
#include <linux/mman.h>
#include <linux/mount.h>
@@ -1597,7 +1596,6 @@ static void inode_free_by_rcu(struct rcu_head *head)
*/
void security_inode_free(struct inode *inode)
{
- integrity_inode_free(inode);
call_void_hook(inode_free_security, inode);
/*
* The inode may still be referenced in a path walk and
@@ -3182,12 +3180,7 @@ int security_kernel_create_files_as(struct cred *new, struct inode *inode)
*/
int security_kernel_module_request(char *kmod_name)
{
- int ret;
-
- ret = call_int_hook(kernel_module_request, 0, kmod_name);
- if (ret)
- return ret;
- return integrity_kernel_module_request(kmod_name);
+ return call_int_hook(kernel_module_request, 0, kmod_name);
}

/**
--
2.34.1