lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 13 Oct 2022 15:36:53 -0700 From: Kees Cook <keescook@...omium.org> To: Mimi Zohar <zohar@...ux.ibm.com> Cc: Kees Cook <keescook@...omium.org>, Dmitry Kasatkin <dmitry.kasatkin@...il.com>, Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, linux-integrity@...r.kernel.org, linux-security-module@...r.kernel.org, Mickaël Salaün <mic@...ikod.net>, KP Singh <kpsingh@...nel.org>, Casey Schaufler <casey@...aufler-ca.com>, John Johansen <john.johansen@...onical.com>, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org Subject: [PATCH 8/9] integrity: Move trivial hooks into LSM Move the integrity_inode_free and integrity_kernel_module_request hooks into the LSM. Cc: Mimi Zohar <zohar@...ux.ibm.com> Cc: Dmitry Kasatkin <dmitry.kasatkin@...il.com> Cc: Paul Moore <paul@...l-moore.com> Cc: James Morris <jmorris@...ei.org> Cc: "Serge E. Hallyn" <serge@...lyn.com> Cc: linux-integrity@...r.kernel.org Cc: linux-security-module@...r.kernel.org Signed-off-by: Kees Cook <keescook@...omium.org> --- include/linux/integrity.h | 19 ------------------- security/integrity/iint.c | 11 ++++++++++- security/integrity/integrity.h | 1 + security/security.c | 8 +------- 4 files changed, 12 insertions(+), 27 deletions(-) diff --git a/include/linux/integrity.h b/include/linux/integrity.h index 2ea0f2f65ab6..c86bcf6b866b 100644 --- a/include/linux/integrity.h +++ b/include/linux/integrity.h @@ -22,7 +22,6 @@ enum integrity_status { /* List of EVM protected security xattrs */ #ifdef CONFIG_INTEGRITY extern struct integrity_iint_cache *integrity_inode_get(struct inode *inode); -extern void integrity_inode_free(struct inode *inode); extern void __init integrity_load_keys(void); #else @@ -32,27 +31,9 @@ static inline struct integrity_iint_cache * return NULL; } -static inline void integrity_inode_free(struct inode *inode) -{ - return; -} - static inline void integrity_load_keys(void) { } #endif /* CONFIG_INTEGRITY */ -#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS - -extern int integrity_kernel_module_request(char *kmod_name); - -#else - -static inline int integrity_kernel_module_request(char *kmod_name) -{ - return 0; -} - -#endif /* CONFIG_INTEGRITY_ASYMMETRIC_KEYS */ - #endif /* _LINUX_INTEGRITY_H */ diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 4f322324449d..dea4dbb93a53 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -142,7 +142,7 @@ struct integrity_iint_cache *integrity_inode_get(struct inode *inode) * * Free the integrity information(iint) associated with an inode. */ -void integrity_inode_free(struct inode *inode) +static void integrity_inode_free(struct inode *inode) { struct integrity_iint_cache *iint; @@ -177,12 +177,21 @@ void __init integrity_add_lsm_hooks(struct security_hook_list *hooks, security_add_hooks(hooks, count, "integrity"); } +static struct security_hook_list integrity_hooks[] __lsm_ro_after_init = { + LSM_HOOK_INIT(inode_free_security, integrity_inode_free), +#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS + LSM_HOOK_INIT(kernel_module_request, integrity_kernel_module_request), +#endif +}; + static int __init integrity_lsm_init(void) { iint_cache = kmem_cache_create("iint_cache", sizeof(struct integrity_iint_cache), 0, SLAB_PANIC, init_once); + integrity_add_lsm_hooks(integrity_hooks, ARRAY_SIZE(integrity_hooks)); + integrity_lsm_ima_init(); integrity_lsm_evm_init(); diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 3707349271c9..93f35b208809 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -237,6 +237,7 @@ static inline int __init integrity_load_cert(const unsigned int id, #endif /* CONFIG_INTEGRITY_SIGNATURE */ #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS +int integrity_kernel_module_request(char *kmod_name); int asymmetric_verify(struct key *keyring, const char *sig, int siglen, const char *data, int datalen); #else diff --git a/security/security.c b/security/security.c index af42264ad3e2..60c0ed336b23 100644 --- a/security/security.c +++ b/security/security.c @@ -1036,7 +1036,6 @@ static void inode_free_by_rcu(struct rcu_head *head) void security_inode_free(struct inode *inode) { - integrity_inode_free(inode); call_void_hook(inode_free_security, inode); /* * The inode may still be referenced in a path walk and @@ -1723,12 +1722,7 @@ int security_kernel_create_files_as(struct cred *new, struct inode *inode) int security_kernel_module_request(char *kmod_name) { - int ret; - - ret = call_int_hook(kernel_module_request, 0, kmod_name); - if (ret) - return ret; - return integrity_kernel_module_request(kmod_name); + return call_int_hook(kernel_module_request, 0, kmod_name); } int security_kernel_read_file(struct file *file, enum kernel_read_file_id id, -- 2.34.1
Powered by blists - more mailing lists