Re: [PATCH v9 19/25] integrity: Move integrity_kernel_module_request() to IMA

2024-02-13 Thread Stefan Berger
On 2/13/24 03:57, Roberto Sassu wrote: On Mon, 2024-02-12 at 15:28 -0500, Stefan Berger wrote: On 2/12/24 12:56, Paul Moore wrote: On Mon, Feb 12, 2024 at 12:48 PM Stefan Berger wrote: On 1/15/24 13:18, Roberto Sassu wrote: ... +/** + * ima_kernel_module_request - Prevent crypto

Re: [PATCH v9 19/25] integrity: Move integrity_kernel_module_request() to IMA

2024-02-12 Thread Stefan Berger
On 2/12/24 12:56, Paul Moore wrote: On Mon, Feb 12, 2024 at 12:48 PM Stefan Berger wrote: On 1/15/24 13:18, Roberto Sassu wrote: ... +/** + * ima_kernel_module_request - Prevent crypto-pkcs1pad(rsa,*) requests + * @kmod_name: kernel module name + * + * We have situation, when

Re: [PATCH v9 25/25] integrity: Remove LSM

2024-02-12 Thread Stefan Berger
eating the integrity directory in securityfs (we need to keep it for retrocompatibility reasons). Signed-off-by: Roberto Sassu Reviewed-by: Stefan Berger

Re: [PATCH v9 24/25] ima: Make it independent from 'integrity' LSM

2024-02-12 Thread Stefan Berger
since they are now unnecessary in the common integrity layer. Signed-off-by: Roberto Sassu Reviewed-by: Stefan Berger

Re: [PATCH v9 23/25] evm: Make it independent from 'integrity' LSM

2024-02-12 Thread Stefan Berger
ff-by: Roberto Sassu Reviewed-by: Stefan Berger

Re: [PATCH v9 22/25] evm: Move to LSM infrastructure

2024-02-12 Thread Stefan Berger
T(inode_remove_acl, evm_inode_remove_acl), + LSM_HOOK_INIT(inode_post_remove_acl, evm_inode_post_remove_acl), + LSM_HOOK_INIT(inode_post_setxattr, evm_inode_post_setxattr), nit: move this one up after inode_setxattr. Reviewed-by: Stefan Berger

Re: [PATCH v9 19/25] integrity: Move integrity_kernel_module_request() to IMA

2024-02-12 Thread Stefan Berger
nt security_kernel_module_request(char *kmod_name) ret = call_int_hook(kernel_module_request, 0, kmod_name); if (ret) return ret; - return integrity_kernel_module_request(kmod_name); + return ima_kernel_module_request(kmod_name); } /** Reviewed-by: Stefan Berger

Re: [PATCH v9 20/25] ima: Move to LSM infrastructure

2024-02-12 Thread Stefan Berger
date() if CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS is enabled. Also, conditionally register ima_kernel_module_request() if CONFIG_INTEGRITY_ASYMMETRIC_KEYS is enabled. Finally, add the LSM_ID_IMA case in lsm_list_modules_test.c. Signed-off-by: Roberto Sassu Acked-by: Chuck Lever Reviewed-by: Stefan Berger

Re: [PATCH v9 14/25] security: Introduce path_post_mknod hook

2024-02-12 Thread Stefan Berger
: Stefan Berger --- fs/namei.c| 5 + include/linux/lsm_hook_defs.h | 2 ++ include/linux/security.h | 5 + security/security.c | 14 ++ 4 files changed, 26 insertions(+) diff --git a/fs/namei.c b/fs/namei.c index fb93d3e13df6

Re: [PATCH v9 15/25] security: Introduce inode_post_create_tmpfile hook

2024-02-12 Thread Stefan Berger
stored in the security xattr. LSMs could also take some action after temp files have been created. The new hook cannot return an error and cannot cause the operation to be canceled. Signed-off-by: Roberto Sassu Acked-by: Casey Schaufler Reviewed-by: Mimi Zohar Reviewed-by: Stefan Berger

Re: [PATCH v9 13/25] security: Introduce file_release hook

2024-02-12 Thread Stefan Berger
succeeds. An LSM could implement an exclusive access scheme for files, only allowing access to files that have no references. The new hook cannot return an error and cannot cause the operation to be reverted. Signed-off-by: Roberto Sassu Reviewed-by: Stefan Berger --- fs/file_table.c