[RFC PATCH] lsm: add the inode_free_security_rcu() LSM implementation hook
Mickaël Salaün
mic at digikod.net
Wed Jul 10 12:02:38 UTC 2024
On Tue, Jul 09, 2024 at 10:47:45PM -0400, Paul Moore wrote:
> On Tue, Jul 9, 2024 at 10:40 PM Paul Moore <paul at paul-moore.com> wrote:
> >
> > The LSM framework has an existing inode_free_security() hook which
> > is used by LSMs that manage state associated with an inode, but
> > due to the use of RCU to protect the inode, special care must be
> > taken to ensure that the LSMs do not fully release the inode state
> > until it is safe from a RCU perspective.
> >
> > This patch implements a new inode_free_security_rcu() implementation
> > hook which is called when it is safe to free the LSM's internal inode
> > state. Unfortunately, this new hook does not have access to the inode
> > itself as it may already be released, so the existing
> > inode_free_security() hook is retained for those LSMs which require
> > access to the inode.
> >
> > Signed-off-by: Paul Moore <paul at paul-moore.com>
> > ---
> > include/linux/lsm_hook_defs.h | 1 +
> > security/integrity/ima/ima.h | 2 +-
> > security/integrity/ima/ima_iint.c | 20 ++++++++------------
> > security/integrity/ima/ima_main.c | 2 +-
> > security/landlock/fs.c | 9 ++++++---
> > security/security.c | 26 +++++++++++++-------------
> > 6 files changed, 30 insertions(+), 30 deletions(-)
>
> FYI, this has only received "light" testing, and even that is fairly
> generous. I booted up a system with IMA set to measure the TCB and
> ran through the audit and SELinux test suites; IMA seemed to be
> working just fine but I didn't poke at it too hard. I didn't have an
> explicit Landlock test handy, but I'm hoping that the Landlock
> enablement on a modern Rawhide system hit it a little :)
If you want to test Landlock, you can do so like this:
cd tools/testing/selftests/landlock
make -C ../../../.. headers_install
make
for f in *_test; ./$f; done
...or you can build and run everything (on UML) with
`./check-linux build kselftest' provided here:
https://github.com/landlock-lsm/landlock-test-tools
...or, even simpler, you can run all checks by running
`./docker-run.sh debian/sid` for instance.
I need to update the kernel doc with these commands.
>
> --
> paul-moore.com
>
More information about the Linux-security-module-archive
mailing list