Re: [PATCH v9 21/25] ima: Move IMA-Appraisal to LSM infrastructure
From: Christian Brauner
Date: Fri Feb 09 2024 - 04:45:59 EST
On Mon, Jan 15, 2024 at 07:18:05PM +0100, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
>
> A few additional IMA hooks are needed to reset the cached appraisal
> status, causing the file's integrity to be re-evaluated on next access.
> Register these IMA-appraisal only functions separately from the rest of IMA
> functions, as appraisal is a separate feature not necessarily enabled in
> the kernel configuration.
>
> Reuse the same approach as for other IMA functions, move hardcoded calls
> from various places in the kernel to the LSM infrastructure. Declare the
> functions as static and register them as hook implementations in
> init_ima_appraise_lsm(), called by init_ima_lsm().
>
> Also move the inline function ima_inode_remove_acl() from the public ima.h
> header to ima_appraise.c.
>
> Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> Reviewed-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
> Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
> ---
> fs/attr.c | 2 -
> include/linux/ima.h | 55 ---------------------------
> security/integrity/ima/ima.h | 5 +++
> security/integrity/ima/ima_appraise.c | 38 +++++++++++++-----
> security/integrity/ima/ima_main.c | 1 +
> security/security.c | 13 -------
> 6 files changed, 35 insertions(+), 79 deletions(-)
>
> diff --git a/fs/attr.c b/fs/attr.c
> index 221d2bb0a906..38841f3ebbcb 100644
> --- a/fs/attr.c
> +++ b/fs/attr.c
> @@ -17,7 +17,6 @@
> #include <linux/filelock.h>
> #include <linux/security.h>
> #include <linux/evm.h>
> -#include <linux/ima.h>
>
> #include "internal.h"
>
> @@ -503,7 +502,6 @@ int notify_change(struct mnt_idmap *idmap, struct dentry *dentry,
> if (!error) {
> fsnotify_change(dentry, ia_valid);
> security_inode_post_setattr(idmap, dentry, ia_valid);
> - ima_inode_post_setattr(idmap, dentry, ia_valid);
> evm_inode_post_setattr(idmap, dentry, ia_valid);
> }
Acked-by: Christian Brauner <brauner@xxxxxxxxxx>