[PATCH v9 24/25] ima: Make it independent from 'integrity' LSM
Stefan Berger
stefanb at linux.ibm.com
Mon Feb 12 19:47:20 UTC 2024
On 1/15/24 13:18, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu at huawei.com>
>
> Make the 'ima' LSM independent from the 'integrity' LSM by introducing IMA
> own integrity metadata (ima_iint_cache structure, with IMA-specific fields
> from the integrity_iint_cache structure), and by managing it directly from
> the 'ima' LSM.
>
> Create ima_iint.c and introduce the same integrity metadata management
> functions found in iint.c (renamed with ima_). However, instead of putting
> metadata in an rbtree, reserve space from IMA in the inode security blob
> for a pointer, and introduce the ima_inode_set_iint()/ima_inode_get_iint()
> primitives to store/retrieve that pointer. This improves search time from
> logarithm to constant.
logarithmic
>
> Consequently, don't include the inode pointer as field in the
> ima_iint_cache structure, since the association with the inode is clear.
> Since the inode field is missing in ima_iint_cache, pass the extra inode
> parameter to ima_get_verity_digest().
>
> Prefer storing the pointer instead of the entire ima_iint_cache structure,
> to avoid too much memory pressure. Use the same mechanism as before, a
> cache named ima_iint_cache (renamed from iint_cache), to quickly allocate
> a new ima_iint_cache structure when requested by the IMA policy.
>
> Create the new ima_iint_cache in ima_iintcache_init(),
> called by init_ima_lsm(), during the initialization of the 'ima' LSM. And,
> register ima_inode_free_security() to free the ima_iint_cache structure, if
> exists.
>
> Replace integrity_iint_cache with ima_iint_cache in various places of the
> IMA code. Also, replace integrity_inode_get() and integrity_iint_find(),
> respectively with ima_inode_get() and ima_iint_find().
>
> Finally, move the remaining IMA-specific flags
> to security/integrity/ima/ima.h, since they are now unnecessary in the
> common integrity layer.
>
> Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
Reviewed-by: Stefan Berger <stefanb at linux.ibm.com>
More information about the Linux-security-module-archive
mailing list