[PATCH v3 0/9] bpf-lsm: Extend interoperability with IMA

Alexei Starovoitov alexei.starovoitov at gmail.com
Wed Mar 2 22:20:56 UTC 2022


On Wed, Mar 02, 2022 at 12:13:55PM +0100, Roberto Sassu wrote:
> Extend the interoperability with IMA, to give wider flexibility for the
> implementation of integrity-focused LSMs based on eBPF.
> 
> Patch 1 fixes some style issues.
> 
> Patches 2-6 give the ability to eBPF-based LSMs to take advantage of the
> measurement capability of IMA without needing to setup a policy in IMA
> (those LSMs might implement the policy capability themselves).
> 
> Patches 7-9 allow eBPF-based LSMs to evaluate files read by the kernel.
> 
> Changelog
> 
> v2:
> - Add better description to patch 1 (suggested by Shuah)
> - Recalculate digest if it is not fresh (when IMA_COLLECTED flag not set)
> - Move declaration of bpf_ima_file_hash() at the end (suggested by
>   Yonghong)
> - Add tests to check if the digest has been recalculated
> - Add deny test for bpf_kernel_read_file()
> - Add description to tests
> 
> v1:
> - Modify ima_file_hash() only and allow the usage of the function with the
>   modified behavior by eBPF-based LSMs through the new function
>   bpf_ima_file_hash() (suggested by Mimi)
> - Make bpf_lsm_kernel_read_file() sleepable so that bpf_ima_inode_hash()
>   and bpf_ima_file_hash() can be called inside the implementation of
>   eBPF-based LSMs for this hook
> 
> Roberto Sassu (9):
>   ima: Fix documentation-related warnings in ima_main.c
>   ima: Always return a file measurement in ima_file_hash()
>   bpf-lsm: Introduce new helper bpf_ima_file_hash()
>   selftests/bpf: Move sample generation code to ima_test_common()
>   selftests/bpf: Add test for bpf_ima_file_hash()
>   selftests/bpf: Check if the digest is refreshed after a file write
>   bpf-lsm: Make bpf_lsm_kernel_read_file() as sleepable
>   selftests/bpf: Add test for bpf_lsm_kernel_read_file()
>   selftests/bpf: Check that bpf_kernel_read_file() denies reading IMA
>     policy

We have to land this set through bpf-next.
Please get the Acks for patches 1 and 2, so we can proceed.



More information about the Linux-security-module-archive mailing list