[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2ae5127d76cbf78140fb2d6108c9ec70c7d8ae5d.camel@chromium.org>
Date: Wed, 18 Dec 2019 12:03:09 +0100
From: Florent Revest <revest@...omium.org>
To: Mimi Zohar <zohar@...ux.ibm.com>,
Casey Schaufler <casey@...aufler-ca.com>,
linux-integrity@...r.kernel.org
Cc: jmorris@...ei.org, serge@...lyn.com, revest@...gle.com,
allison@...utok.net, armijn@...ldur.nl, bauerman@...ux.ibm.com,
linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, kpsingh@...omium.org
Subject: Re: [PATCH] integrity: Expose data structures required for
include/linux/integrity.h
On Tue, 2019-12-17 at 18:08 -0500, Mimi Zohar wrote:
> On Tue, 2019-12-17 at 08:25 -0800, Casey Schaufler wrote:
> > On 12/17/2019 5:47 AM, Florent Revest wrote:
> > > From: Florent Revest <revest@...gle.com>
> > >
> > > include/linux/integrity.h exposes the prototype of
> > > integrity_inode_get().
> > > However, it relies on struct integrity_iint_cache which is
> > > currently
> > > defined in an internal header, security/integrity/integrity.h.
> > >
> > > To allow the rest of the kernel to use integrity_inode_get,
> >
> > Why do you want to do this?
>
> ditto
My team works on KRSI (eBPF MAC policies presented at LSS by KP Singh).
https://lkml.org/lkml/2019/9/10/393 We identified file hashes gathered
from the integrity subsystem as an interesting field that we could
potentially someday expose to eBPF programs through helpers.
One of the reason behind writing KRSI is to replace a custom kernel
auditing module that currently needs to redefine those structures to
access them. I imagine other kernel modules could benefit from a file
hash API too.
This is the least intrusive patch I could come up with that allows us
to lookup a hash from an inode. I was surprised to find that
integrity_inode_get was exposed but not the structures it returns.
If the community is interested in a different file hash API, I'd be
happy to iterate on this patch based on your feedback.
> > > this patch
> > > moves the definition of the necessary structures from a private
> > > header
> > > to a global kernel header.
Powered by blists - more mailing lists