[PATCH 1/9] integrity: Prepare for having "ima" and "evm" available in "integrity" LSM
Kees Cook
keescook at chromium.org
Wed Oct 19 18:28:49 UTC 2022
On Wed, Oct 19, 2022 at 10:34:08AM -0400, Mimi Zohar wrote:
> On Thu, 2022-10-13 at 15:36 -0700, Kees Cook wrote:
> > Move "integrity" LSM to the end of the Kconfig list and prepare for
> > having ima and evm LSM initialization called from the top-level
> > "integrity" LSM.
>
> The securityfs integrity directory and the "iint_cache" are shared
> IMA/EVM resources. Just because the "iint_cache" was on an LSM hook,
> it should never have been treated as an LSM on its own. IMA maintains
> and verifies file data integrity, while EVM maintains and verifies file
> metadata integrity. IMA and EVM may both be configured and enabled, or
> independently of each other. However, only if either IMA or EVM are
> configured and enabled, should the iint_cache be created. There is
> absolutely no need for an independent "integrity" LSM.
The purpose of this patch was to tie ima and evm into integrity, since
the iint_cache is used by both. It's been true since 4.20 that using
ima and evm requires that the LSM named "integrity" has been initialized.
Since ima and evm have separate indicators for "am I active?" (much like
apparmor, etc), it seemed sensible to make ima and evm part of the LSM
named "integrity". Other solutions are totally fine!
I do note, however, this patch needs to be tweaked for the case where
CONFIG_IMA or CONFIG_EVM are not set.
--
Kees Cook
More information about the Linux-security-module-archive
mailing list