[PATCH v8 21/24] evm: Move to LSM infrastructure
Mimi Zohar
zohar at linux.ibm.com
Tue Jan 2 17:44:16 UTC 2024
On Tue, 2024-01-02 at 12:56 +0100, Roberto Sassu wrote:
> On 12/26/2023 11:13 PM, Mimi Zohar wrote:
> > On Thu, 2023-12-14 at 18:08 +0100, Roberto Sassu wrote:
> >> From: Roberto Sassu <roberto.sassu at huawei.com>
> >>
> >> As for IMA, move hardcoded EVM function calls from various places in the
> >> kernel to the LSM infrastructure, by introducing a new LSM named 'evm'
> >> (last and always enabled like 'ima'). The order in the Makefile ensures
> >> that 'evm' hooks are executed after 'ima' ones.
> >>
> >> Make EVM functions as static (except for evm_inode_init_security(), which
> >> is exported), and register them as hook implementations in init_evm_lsm().
> >>
> >> Unlike before (see commit to move IMA to the LSM infrastructure),
> >> evm_inode_post_setattr(), evm_inode_post_set_acl(),
> >> evm_inode_post_remove_acl(), and evm_inode_post_removexattr() are not
> >> executed for private inodes.
> >>
> >
> > Missing is a comment on moving the inline function definitions -
> > evm_inode_remove_acl(), evm_inode_post_remove_acl(), and
> > evm_inode_post_set_acl() - to evm_main.c.
>
> Ok.
>
> >> Finally, add the LSM_ID_EVM case in lsm_list_modules_test.c
> >>
> >> Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
> >> ---
> >
> > [...]
> >> @@ -2307,9 +2299,7 @@ int security_inode_setxattr(struct mnt_idmap *idmap,
> >>
> >> if (ret == 1)
> >> ret = cap_inode_setxattr(dentry, name, value, size, flags);
> >> - if (ret)
> >> - return ret;
> >> - return evm_inode_setxattr(idmap, dentry, name, value, size, flags);
> >> + return ret;
> >> }
> >
> > Even though capability will be called after EVM, it doesn't make a
> > difference in this instance.
> >
> > [...]
> >
> >> /**
> >> @@ -2493,9 +2472,7 @@ int security_inode_removexattr(struct mnt_idmap *idmap,
> >> ret = call_int_hook(inode_removexattr, 1, idmap, dentry, name);
> >> if (ret == 1)
> >> ret = cap_inode_removexattr(idmap, dentry, name);
> >> - if (ret)
> >> - return ret;
> >> - return evm_inode_removexattr(idmap, dentry, name);
> >> + return ret;
> >> }
> >
> > 'security.capability' is one of the EVM protected xattrs. As
> > capability isn't an LSM, it will now be called after EVM, which is a
> > problem.
>
> Uhm, according to this comment in security_inode_removexattr() and
> security_inode_setxattr():
>
> /*
> * SELinux and Smack integrate the cap call,
> * so assume that all LSMs supplying this call do so.
> */
>
> We can add the call to IMA and EVM as well, to be compliant.
SELinux and Smack are the only current LSMs that register the
security_inode_removexattr hook. Both enforce mandatory access
control,
so their calling capabilities to enforce DAC kind of makes sense. I'm
not sure it makes sense for IMA and EVM to call capability directly,
just because of the comment.
> However, I'm missing why the two cases are different. It seems
> cap_inode_set/removexattr() are doing just checks.
Both IMA and EVM require CAP_SYS_ADMIN to write/remove security.ima and
security.evm respectively. In addition, EVM must recalculate
security.evm if any protected security xattrs are set or
removed. However, security.evm is updated on
security_inode_post_setxattr, not security_inode_setxattr.
Mimi
More information about the Linux-security-module-archive
mailing list