Re: [PATCH 00/28] security: Move IMA and EVM to the LSM infrastructure
From: Mimi Zohar
Date: Wed Mar 08 2023 - 10:15:28 EST
Hi Roberto,
On Fri, 2023-03-03 at 19:18 +0100, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
>
> This patch set depends on:
> - https://lore.kernel.org/linux-integrity/20221201104125.919483-1-roberto.sassu@xxxxxxxxxxxxxxx/ (there will be a v8 shortly)
> - https://lore.kernel.org/linux-security-module/20230217032625.678457-1-paul@xxxxxxxxxxxxxx/
>
> IMA and EVM are not effectively LSMs, especially due the fact that in the
> past they could not provide a security blob while there is another LSM
> active.
>
> That changed in the recent years, the LSM stacking feature now makes it
> possible to stack together multiple LSMs, and allows them to provide a
> security blob for most kernel objects. While the LSM stacking feature has
> some limitations being worked out, it is already suitable to make IMA and
> EVM as LSMs.
>
> In short, while this patch set is big, it does not make any functional
> change to IMA and EVM. IMA and EVM functions are called by the LSM
> infrastructure in the same places as before (except ima_post_path_mknod()),
> rather being hardcoded calls, and the inode metadata pointer is directly
> stored in the inode security blob rather than in a separate rbtree.
>
> More specifically, patches 1-13 make IMA and EVM functions suitable to
> be registered to the LSM infrastructure, by aligning function parameters.
>
> Patches 14-22 add new LSM hooks in the same places where IMA and EVM
> functions are called, if there is no LSM hook already.
>
> Patch 23 adds the 'last' ordering strategy for LSMs, so that IMA and EVM
> functions are called in the same order as of today. Also, like with the
> 'first' strategy, LSMs using it are always enabled, so IMA and EVM
> functions will be always called (if IMA and EVM are compiled built-in).
>
> Patches 24-27 do the bulk of the work, remove hardcoded calls to IMA and
> EVM functions, register those functions in the LSM infrastructure, and let
> the latter call them. In addition, they also reserve one slot for EVM to
> supply an xattr to the inode_init_security hook.
>
> Finally, patch 28 removes the rbtree used to bind metadata to the inodes,
> and instead reserve a space in the inode security blob to store the pointer
> to metadata. This also brings performance improvements due to retrieving
> metadata in constant time, as opposed to logarithmic.
Prior to IMA being upstreamed, it went through a number of iterations,
first on the security hooks, then as a separate parallel set of
integrity hooks, and, finally, co-located with the security hooks,
where they exist. With this patch set we've come full circle.
With the LSM stacking support, multiple LSMs can now use the
'i_security' field removing the need for the rbtree indirection for
accessing integrity state info.
Roberto, thank you for making this change. Mostly it looks good.
Reviewing the patch set will be easier once the prereq's and this patch
set can be properly applied.
--
thanks,
Mimi