On Jan 15, 2024 Roberto Sassu [off-list ref] wrote:

As for IMA, move hardcoded EVM function calls from various places in the
kernel to the LSM infrastructure, by introducing a new LSM named 'evm'
(last and always enabled like 'ima'). The order in the Makefile ensures
that 'evm' hooks are executed after 'ima' ones.

Let's add a comment to the Makefile about this so everyone knows not
to mix up the ordering, otherwise this looks good to me.

At some point I think we may want to introduce the concept of numerical
priorities to security_add_hooks() to add some additional granularity
beyond the LSM_ORDER_XXX priority, but that is something we can do
later.

Acked-by: Paul Moore <paul@paul-moore.com>

Make EVM functions as static (except for evm_inode_init_security(), which
is exported), and register them as hook implementations in init_evm_lsm().
Also move the inline functions evm_inode_remove_acl(),
evm_inode_post_remove_acl(), and evm_inode_post_set_acl() from the public
evm.h header to evm_main.c.

Unlike before (see commit to move IMA to the LSM infrastructure),
evm_inode_post_setattr(), evm_inode_post_set_acl(),
evm_inode_post_remove_acl(), and evm_inode_post_removexattr() are not
executed for private inodes.

Finally, add the LSM_ID_EVM case in lsm_list_modules_test.c

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
---
 fs/attr.c                                     |   2 -
 fs/posix_acl.c                                |   3 -
 fs/xattr.c                                    |   2 -
 include/linux/evm.h                           | 113 -----------------
 include/uapi/linux/lsm.h                      |   1 +
 security/integrity/evm/evm_main.c             | 118 +++++++++++++++---
 security/security.c                           |  43 ++-----
 .../selftests/lsm/lsm_list_modules_test.c     |   3 +
 8 files changed, 116 insertions(+), 169 deletions(-)

--
paul-moore.com