Re: [RFC PATCH 25/29] ima,evm: move initcalls to the LSM framework
From: Paul Moore <paul@paul-moore.com>
Date: 2025-06-11 20:09:18
Also in:
linux-integrity, selinux
On Wed, May 14, 2025 at 9:06 AM John Johansen [off-list ref] wrote:
On 4/9/25 11:50, Paul Moore wrote:quoted
This patch converts IMA and EVM to use the LSM frameworks's initcall mechanism. There were two challenges to doing this conversion: the first simply being the number of initcalls across IMA and EVM, and the second was the number of resources shared between the two related, yet independent LSMs. The first problem was resolved by the creation of two new functions, integrity_device_init() and integrity_late_init(), with each focused on calling all of the various IMA/EVM initcalls for a single initcall type. The second problem was resolved by registering both of these new functions as initcalls for each LSM and including code in each registered initcall to ensure it only executes once. Signed-off-by: Paul Moore <paul@paul-moore.com> --- security/integrity/Makefile | 2 +- security/integrity/evm/evm_main.c | 7 +- security/integrity/iint.c | 4 +- security/integrity/ima/ima_main.c | 7 +- security/integrity/ima/ima_mok.c | 4 +- security/integrity/initcalls.c | 97 +++++++++++++++++++ security/integrity/initcalls.h | 23 +++++ .../integrity/platform_certs/load_ipl_s390.c | 4 +- .../integrity/platform_certs/load_powerpc.c | 4 +- security/integrity/platform_certs/load_uefi.c | 4 +- .../platform_certs/machine_keyring.c | 4 +- .../platform_certs/platform_keyring.c | 14 ++- 12 files changed, 147 insertions(+), 27 deletions(-) create mode 100644 security/integrity/initcalls.c create mode 100644 security/integrity/initcalls.h
...
quoted
diff --git a/security/integrity/initcalls.c b/security/integrity/initcalls.c new file mode 100644 index 000000000000..de39754a1c2c --- /dev/null +++ b/security/integrity/initcalls.c@@ -0,0 +1,97 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Platform certificate / keyring initcalls + * + */ + +#include <linux/init.h> + +#include "initcalls.h" + +/** + * integrity_device_init - device_initcalls for IMA/EVM + * + * This helper function wraps all of the device_initcalls for both IMA and EVM. + * It can be called multiple times, e.g. once from IMA and once from EVM, + * without problem as it maintains an internal static state variable which + * ensures that any setup/initialization is only done once. + */ +int __init integrity_device_init(void) +{ + int rc = 0, rc_tmp;if none of the below config options are defined then rc_tmp is unused and the build can kick out with ../security/integrity/initcalls.c:21:21: error: unused variable ‘rc_tmp’ [-Werror=unused-variable]
Thanks. I fixed this by adding a __maybe_unused annotation as that seemed like the cleanest fix. -- paul-moore.com