• Roberto Sassu's avatar
    evm: Make it independent from 'integrity' LSM · 75a323e6
    Roberto Sassu authored
    Define a new structure for EVM-specific metadata, called evm_iint_cache,
    and embed it in the inode security blob. Introduce evm_iint_inode() to
    retrieve metadata, and register evm_inode_alloc_security() for the
    inode_alloc_security LSM hook, to initialize the structure (before
    splitting metadata, this task was done by iint_init_always()).
    
    Keep the non-NULL checks after calling evm_iint_inode() except in
    evm_inode_alloc_security(), to take into account inodes for which
    security_inode_alloc() was not called. When using shared metadata,
    obtaining a NULL pointer from integrity_iint_find() meant that the file
    wasn't in the IMA policy. Now, because IMA and EVM use disjoint metadata,
    the EVM status has to be stored for every inode regardless of the IMA
    policy.
    
    Given that from now on EVM relies on its own metadata, remove the iint
    parameter from evm_verifyxattr(). Also, directly retrieve the iint in
    evm_verify_hmac(), called by both evm_verifyxattr() and
    evm_verify_current_integrity(), since now there is no performance penalty
    in retrieving EVM metadata (constant time).
    
    Replicate the management of the IMA_NEW_FILE flag, by introducing
    evm_post_path_mknod() and evm_file_release() to respectively set and clear
    the newly introduced flag EVM_NEW_FILE, at the same time IMA does. Like for
    IMA, select CONFIG_SECURITY_PATH when EVM is enabled, to ensure that files
    are marked as new.
    
    Unlike ima_post_path_mknod(), evm_post_path_mknod() cannot check if a file
    must be appraised. Thus, it marks all affected files. Also, it does not
    clear EVM_NEW_FILE depending on i_version, but that is not a problem
    because IMA_NEW_FILE is always cleared when set in ima_check_last_writer().
    
    Move the EVM-specific flag EVM_IMMUTABLE_DIGSIG to
    security/integrity/evm/evm.h, since that definition is now unnecessary in
    the common integrity layer.
    
    Finally, switch to the LSM reservation mechanism for the EVM xattr, and
    consequently decrement by one the number of xattrs to allocate in
    security_inode_init_security().
    Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
    Reviewed-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
    Reviewed-by: default avatarStefan Berger <stefanb@linux.ibm.com>
    Reviewed-by: default avatarMimi Zohar <zohar@linux.ibm.com>
    Acked-by: default avatarMimi Zohar <zohar@linux.ibm.com>
    Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
    75a323e6
evm_crypto.c 10.8 KB