[PATCH v3 0/9] bpf-lsm: Extend interoperability with IMA
Alexei Starovoitov
alexei.starovoitov at gmail.com
Wed Mar 2 22:20:56 UTC 2022
On Wed, Mar 02, 2022 at 12:13:55PM +0100, Roberto Sassu wrote:
> Extend the interoperability with IMA, to give wider flexibility for the
> implementation of integrity-focused LSMs based on eBPF.
>
> Patch 1 fixes some style issues.
>
> Patches 2-6 give the ability to eBPF-based LSMs to take advantage of the
> measurement capability of IMA without needing to setup a policy in IMA
> (those LSMs might implement the policy capability themselves).
>
> Patches 7-9 allow eBPF-based LSMs to evaluate files read by the kernel.
>
> Changelog
>
> v2:
> - Add better description to patch 1 (suggested by Shuah)
> - Recalculate digest if it is not fresh (when IMA_COLLECTED flag not set)
> - Move declaration of bpf_ima_file_hash() at the end (suggested by
> Yonghong)
> - Add tests to check if the digest has been recalculated
> - Add deny test for bpf_kernel_read_file()
> - Add description to tests
>
> v1:
> - Modify ima_file_hash() only and allow the usage of the function with the
> modified behavior by eBPF-based LSMs through the new function
> bpf_ima_file_hash() (suggested by Mimi)
> - Make bpf_lsm_kernel_read_file() sleepable so that bpf_ima_inode_hash()
> and bpf_ima_file_hash() can be called inside the implementation of
> eBPF-based LSMs for this hook
>
> Roberto Sassu (9):
> ima: Fix documentation-related warnings in ima_main.c
> ima: Always return a file measurement in ima_file_hash()
> bpf-lsm: Introduce new helper bpf_ima_file_hash()
> selftests/bpf: Move sample generation code to ima_test_common()
> selftests/bpf: Add test for bpf_ima_file_hash()
> selftests/bpf: Check if the digest is refreshed after a file write
> bpf-lsm: Make bpf_lsm_kernel_read_file() as sleepable
> selftests/bpf: Add test for bpf_lsm_kernel_read_file()
> selftests/bpf: Check that bpf_kernel_read_file() denies reading IMA
> policy
We have to land this set through bpf-next.
Please get the Acks for patches 1 and 2, so we can proceed.
More information about the Linux-security-module-archive
mailing list