[PATCH 1/9] integrity: Prepare for having "ima" and "evm" available in "integrity" LSM
Kees Cook
keescook at chromium.org
Wed Oct 19 18:33:38 UTC 2022
On Mon, Oct 17, 2022 at 11:26:44AM +0200, Mickaël Salaün wrote:
>
> On 14/10/2022 19:59, Kees Cook wrote:
> > On Fri, Oct 14, 2022 at 04:40:01PM +0200, Mickaël Salaün wrote:
> > > This is not backward compatible
> >
> > Why? Nothing will be running LSM hooks until init finishes, at which
> > point the integrity inode cache will be allocated. And ima and evm don't
> > start up until lateinit.
> >
> > > , but can easily be fixed thanks to
> > > DEFINE_LSM().order
> >
> > That forces the LSM to be enabled, which may not be desired?
>
> This is not backward compatible because currently IMA is enabled
> independently of the "lsm=" cmdline, which means that for all installed
> systems using IMA and also with a custom "lsm=" cmdline, updating the kernel
> with this patch will (silently) disable IMA. Using ".order =
> LSM_ORDER_FIRST," should keep this behavior.
This isn't true. If "integrity" is removed from the lsm= line today, IMA
will immediately panic:
process_measurement():
integrity_inode_get():
if (!iint_cache)
panic("%s: lsm=integrity required.\n", __func__);
and before v5.12 (where the panic was added), it would immediately NULL
deref. (And it took 3 years to even notice.)
--
Kees Cook
More information about the Linux-security-module-archive
mailing list