[PATCH] integrity: Expose data structures required for include/linux/integrity.h

Florent Revest revest at chromium.org
Wed Dec 18 11:03:09 UTC 2019


On Tue, 2019-12-17 at 18:08 -0500, Mimi Zohar wrote:
> On Tue, 2019-12-17 at 08:25 -0800, Casey Schaufler wrote:
> > On 12/17/2019 5:47 AM, Florent Revest wrote:
> > > From: Florent Revest <revest at google.com>
> > > 
> > > include/linux/integrity.h exposes the prototype of
> > > integrity_inode_get().
> > > However, it relies on struct integrity_iint_cache which is
> > > currently
> > > defined in an internal header, security/integrity/integrity.h.
> > > 
> > > To allow the rest of the kernel to use integrity_inode_get,
> > 
> > Why do you want to do this?
> 
> ditto

My team works on KRSI (eBPF MAC policies presented at LSS by KP Singh).
https://lkml.org/lkml/2019/9/10/393 We identified file hashes gathered
from the integrity subsystem as an interesting field that we could
potentially someday expose to eBPF programs through helpers.

One of the reason behind writing KRSI is to replace a custom kernel
auditing module that currently needs to redefine those structures to
access them. I imagine other kernel modules could benefit from a file
hash API too.

This is the least intrusive patch I could come up with that allows us
to lookup a hash from an inode. I was surprised to find that
integrity_inode_get was exposed but not the structures it returns.

If the community is interested in a different file hash API, I'd be
happy to iterate on this patch based on your feedback.

> > >  this patch
> > > moves the definition of the necessary structures from a private
> > > header
> > > to a global kernel header.



More information about the Linux-security-module-archive mailing list