| Message ID | 20230303181842.1087717-1-roberto.sassu@huaweicloud.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | security: Move IMA and EVM to the LSM infrastructure | expand |
Hi Roberto, On Fri, 2023-03-03 at 19:18 +0100, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu@huawei.com> > > This patch set depends on: > - https://lore.kernel.org/linux-integrity/20221201104125.919483-1-roberto.sassu@huaweicloud.com/ (there will be a v8 shortly) > - https://lore.kernel.org/linux-security-module/20230217032625.678457-1-paul@paul-moore.com/ > > IMA and EVM are not effectively LSMs, especially due the fact that in the > past they could not provide a security blob while there is another LSM > active. > > That changed in the recent years, the LSM stacking feature now makes it > possible to stack together multiple LSMs, and allows them to provide a > security blob for most kernel objects. While the LSM stacking feature has > some limitations being worked out, it is already suitable to make IMA and > EVM as LSMs. > > In short, while this patch set is big, it does not make any functional > change to IMA and EVM. IMA and EVM functions are called by the LSM > infrastructure in the same places as before (except ima_post_path_mknod()), > rather being hardcoded calls, and the inode metadata pointer is directly > stored in the inode security blob rather than in a separate rbtree. > > More specifically, patches 1-13 make IMA and EVM functions suitable to > be registered to the LSM infrastructure, by aligning function parameters. > > Patches 14-22 add new LSM hooks in the same places where IMA and EVM > functions are called, if there is no LSM hook already. > > Patch 23 adds the 'last' ordering strategy for LSMs, so that IMA and EVM > functions are called in the same order as of today. Also, like with the > 'first' strategy, LSMs using it are always enabled, so IMA and EVM > functions will be always called (if IMA and EVM are compiled built-in). > > Patches 24-27 do the bulk of the work, remove hardcoded calls to IMA and > EVM functions, register those functions in the LSM infrastructure, and let > the latter call them. In addition, they also reserve one slot for EVM to > supply an xattr to the inode_init_security hook. > > Finally, patch 28 removes the rbtree used to bind metadata to the inodes, > and instead reserve a space in the inode security blob to store the pointer > to metadata. This also brings performance improvements due to retrieving > metadata in constant time, as opposed to logarithmic. Prior to IMA being upstreamed, it went through a number of iterations, first on the security hooks, then as a separate parallel set of integrity hooks, and, finally, co-located with the security hooks, where they exist. With this patch set we've come full circle. With the LSM stacking support, multiple LSMs can now use the 'i_security' field removing the need for the rbtree indirection for accessing integrity state info. Roberto, thank you for making this change. Mostly it looks good. Reviewing the patch set will be easier once the prereq's and this patch set can be properly applied.
On Wed, 2023-03-08 at 10:14 -0500, Mimi Zohar wrote: > Hi Roberto, > > On Fri, 2023-03-03 at 19:18 +0100, Roberto Sassu wrote: > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > This patch set depends on: > > - https://lore.kernel.org/linux-integrity/20221201104125.919483-1-roberto.sassu@huaweicloud.com/ (there will be a v8 shortly) > > - https://lore.kernel.org/linux-security-module/20230217032625.678457-1-paul@paul-moore.com/ > > > > IMA and EVM are not effectively LSMs, especially due the fact that in the > > past they could not provide a security blob while there is another LSM > > active. > > > > That changed in the recent years, the LSM stacking feature now makes it > > possible to stack together multiple LSMs, and allows them to provide a > > security blob for most kernel objects. While the LSM stacking feature has > > some limitations being worked out, it is already suitable to make IMA and > > EVM as LSMs. > > > > In short, while this patch set is big, it does not make any functional > > change to IMA and EVM. IMA and EVM functions are called by the LSM > > infrastructure in the same places as before (except ima_post_path_mknod()), > > rather being hardcoded calls, and the inode metadata pointer is directly > > stored in the inode security blob rather than in a separate rbtree. > > > > More specifically, patches 1-13 make IMA and EVM functions suitable to > > be registered to the LSM infrastructure, by aligning function parameters. > > > > Patches 14-22 add new LSM hooks in the same places where IMA and EVM > > functions are called, if there is no LSM hook already. > > > > Patch 23 adds the 'last' ordering strategy for LSMs, so that IMA and EVM > > functions are called in the same order as of today. Also, like with the > > 'first' strategy, LSMs using it are always enabled, so IMA and EVM > > functions will be always called (if IMA and EVM are compiled built-in). > > > > Patches 24-27 do the bulk of the work, remove hardcoded calls to IMA and > > EVM functions, register those functions in the LSM infrastructure, and let > > the latter call them. In addition, they also reserve one slot for EVM to > > supply an xattr to the inode_init_security hook. > > > > Finally, patch 28 removes the rbtree used to bind metadata to the inodes, > > and instead reserve a space in the inode security blob to store the pointer > > to metadata. This also brings performance improvements due to retrieving > > metadata in constant time, as opposed to logarithmic. > > Prior to IMA being upstreamed, it went through a number of iterations, > first on the security hooks, then as a separate parallel set of > integrity hooks, and, finally, co-located with the security hooks, > where they exist. With this patch set we've come full circle. > > With the LSM stacking support, multiple LSMs can now use the > 'i_security' field removing the need for the rbtree indirection for > accessing integrity state info. > > Roberto, thank you for making this change. Mostly it looks good. > Reviewing the patch set will be easier once the prereq's and this patch > set can be properly applied. Welcome. Yes, once Paul reviews the other patch set, we can progressively apply the patches. Thanks Roberto
From: Roberto Sassu <roberto.sassu@huawei.com> This patch set depends on: - https://lore.kernel.org/linux-integrity/20221201104125.919483-1-roberto.sassu@huaweicloud.com/ (there will be a v8 shortly) - https://lore.kernel.org/linux-security-module/20230217032625.678457-1-paul@paul-moore.com/ IMA and EVM are not effectively LSMs, especially due the fact that in the past they could not provide a security blob while there is another LSM active. That changed in the recent years, the LSM stacking feature now makes it possible to stack together multiple LSMs, and allows them to provide a security blob for most kernel objects. While the LSM stacking feature has some limitations being worked out, it is already suitable to make IMA and EVM as LSMs. In short, while this patch set is big, it does not make any functional change to IMA and EVM. IMA and EVM functions are called by the LSM infrastructure in the same places as before (except ima_post_path_mknod()), rather being hardcoded calls, and the inode metadata pointer is directly stored in the inode security blob rather than in a separate rbtree. More specifically, patches 1-13 make IMA and EVM functions suitable to be registered to the LSM infrastructure, by aligning function parameters. Patches 14-22 add new LSM hooks in the same places where IMA and EVM functions are called, if there is no LSM hook already. Patch 23 adds the 'last' ordering strategy for LSMs, so that IMA and EVM functions are called in the same order as of today. Also, like with the 'first' strategy, LSMs using it are always enabled, so IMA and EVM functions will be always called (if IMA and EVM are compiled built-in). Patches 24-27 do the bulk of the work, remove hardcoded calls to IMA and EVM functions, register those functions in the LSM infrastructure, and let the latter call them. In addition, they also reserve one slot for EVM to supply an xattr to the inode_init_security hook. Finally, patch 28 removes the rbtree used to bind metadata to the inodes, and instead reserve a space in the inode security blob to store the pointer to metadata. This also brings performance improvements due to retrieving metadata in constant time, as opposed to logarithmic. Roberto Sassu (28): ima: Align ima_inode_post_setattr() definition with LSM infrastructure ima: Align ima_post_path_mknod() definition with LSM infrastructure ima: Align ima_post_create_tmpfile() definition with LSM infrastructure ima: Align ima_file_mprotect() definition with LSM infrastructure ima: Align ima_inode_setxattr() definition with LSM infrastructure ima: Align ima_inode_removexattr() definition with LSM infrastructure ima: Align ima_post_read_file() definition with LSM infrastructure evm: Align evm_inode_post_setattr() definition with LSM infrastructure evm: Align evm_inode_setxattr() definition with LSM infrastructure evm: Align evm_inode_post_setxattr() definition with LSM infrastructure evm: Complete description of evm_inode_setattr() fs: Fix description of vfs_tmpfile() security: Align inode_setattr hook definition with EVM security: Introduce inode_post_setattr hook security: Introduce inode_post_removexattr hook security: Introduce file_post_open hook security: Introduce file_pre_free_security hook security: Introduce path_post_mknod hook security: Introduce inode_post_create_tmpfile hook security: Introduce inode_post_set_acl hook security: Introduce inode_post_remove_acl hook security: Introduce key_post_create_or_update hook security: Introduce LSM_ORDER_LAST ima: Move to LSM infrastructure ima: Move IMA-Appraisal to LSM infrastructure evm: Move to LSM infrastructure integrity: Move integrity functions to the LSM infrastructure integrity: Switch from rbtree to LSM-managed blob for integrity_iint_cache fs/attr.c | 5 +- fs/file_table.c | 3 +- fs/namei.c | 13 +- fs/nfsd/vfs.c | 3 +- fs/open.c | 1 - fs/posix_acl.c | 5 +- fs/xattr.c | 3 +- include/linux/evm.h | 112 ----------- include/linux/ima.h | 142 ------------- include/linux/integrity.h | 26 --- include/linux/lsm_hook_defs.h | 21 +- include/linux/lsm_hooks.h | 1 + include/linux/security.h | 65 ++++++ security/integrity/evm/evm_main.c | 109 ++++++++-- security/integrity/iint.c | 90 +++------ security/integrity/ima/ima.h | 12 ++ security/integrity/ima/ima_appraise.c | 38 +++- security/integrity/ima/ima_main.c | 77 +++++-- security/integrity/integrity.h | 44 +++- security/keys/key.c | 10 +- security/security.c | 276 ++++++++++++++++---------- security/selinux/hooks.c | 3 +- security/smack/smack_lsm.c | 4 +- 23 files changed, 550 insertions(+), 513 deletions(-)