On Thu, 2024-06-20 at 10:48 -0400, Paul Moore wrote:
On Thu, Jun 20, 2024 at 5:12 AM Roberto Sassu roberto.sassu@huaweicloud.com wrote:
On Wed, 2024-06-19 at 14:43 -0400, Paul Moore wrote:
On Wed, Jun 19, 2024 at 12:38 PM Roberto Sassu roberto.sassu@huaweicloud.com wrote:
Making it a kernel subsystem would likely mean replicating what the LSM infrastructure is doing, inode (security) blob and being notified about file/directory changes.
Just because the LSM framework can be used for something, perhaps it even makes the implementation easier, it doesn't mean the framework should be used for everything.
It is supporting 3 LSMs: IMA, IPE and BPF LSM.
That makes it a clear target for the security subsystem, and as you suggested to start for IMA, if other kernel subsystems require them, we can make it as an independent subsystem.
Have you discussed the file digest cache functionality with either the IPE or BPF LSM maintainers? While digest_cache may support these
Well, yes. I was in a discussion since long time ago with Deven and Fan. The digest_cache LSM is listed in the Use Case section of the IPE cover letter:
https://lore.kernel.org/linux-integrity/1716583609-21790-1-git-send-email-wu...
I also developed an IPE module back in the DIGLIM days:
https://lore.kernel.org/linux-integrity/a16a628b9e21433198c490500a987121@hua...
As for eBPF, I just need to make the digest_cache LSM API callable by eBPF programs, very likely not requiring any change on the eBPF infrastructure itself. As an example of the modification needed, you could have a look at:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kern...
Once the digest_cache LSM API is exposed in eBPF, you could write a simple file integrity check (taken from my DIGLIM eBPF), not tested:
SEC("lsm.s/bprm_creds_for_exec") int BPF_PROG(exec, struct linux_binprm *bprm) { u8 digest[MAX_DIGEST_SIZE] = { 0 }; digest_cache_found_t found; struct digest_cache; int algo;
algo = bpf_ima_file_hash(bprm->file, digest, sizeof(digest)); if (algo < 0) return -EPERM;
digest_cache = bpf_digest_cache_get(bprm->file->f_path.dentry); if (!digest_cache) return -EPERM;
found = bpf_digest_cache_lookup(bprm->file->f_path.dentry, digest_cache, digest, algo);
bpf_digest_cache_put(digest_cache); return found ? 0 : -EPERM; }
Roberto
LSMs, I don't recall seeing any comments from the other LSM developers; if you are going to advocate for this as something outside of IMA, it would be good to see a show of support for the other LSMs.