Thread (126 messages) 126 messages, 8 authors, 2025-07-21

Re: [RFC PATCH 25/29] ima,evm: move initcalls to the LSM framework

From: Paul Moore <paul@paul-moore.com>
Date: 2025-06-11 20:09:18
Also in: linux-integrity, selinux

On Wed, May 14, 2025 at 9:06 AM John Johansen
[off-list ref] wrote:
On 4/9/25 11:50, Paul Moore wrote:
quoted
This patch converts IMA and EVM to use the LSM frameworks's initcall
mechanism.  There were two challenges to doing this conversion: the
first simply being the number of initcalls across IMA and EVM, and the
second was the number of resources shared between the two related,
yet independent LSMs.

The first problem was resolved by the creation of two new functions,
integrity_device_init() and integrity_late_init(), with each focused on
calling all of the various IMA/EVM initcalls for a single initcall type.
The second problem was resolved by registering both of these new
functions as initcalls for each LSM and including code in each
registered initcall to ensure it only executes once.

Signed-off-by: Paul Moore <paul@paul-moore.com>
---
  security/integrity/Makefile                   |  2 +-
  security/integrity/evm/evm_main.c             |  7 +-
  security/integrity/iint.c                     |  4 +-
  security/integrity/ima/ima_main.c             |  7 +-
  security/integrity/ima/ima_mok.c              |  4 +-
  security/integrity/initcalls.c                | 97 +++++++++++++++++++
  security/integrity/initcalls.h                | 23 +++++
  .../integrity/platform_certs/load_ipl_s390.c  |  4 +-
  .../integrity/platform_certs/load_powerpc.c   |  4 +-
  security/integrity/platform_certs/load_uefi.c |  4 +-
  .../platform_certs/machine_keyring.c          |  4 +-
  .../platform_certs/platform_keyring.c         | 14 ++-
  12 files changed, 147 insertions(+), 27 deletions(-)
  create mode 100644 security/integrity/initcalls.c
  create mode 100644 security/integrity/initcalls.h
...
quoted
diff --git a/security/integrity/initcalls.c b/security/integrity/initcalls.c
new file mode 100644
index 000000000000..de39754a1c2c
--- /dev/null
+++ b/security/integrity/initcalls.c
@@ -0,0 +1,97 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Platform certificate / keyring initcalls
+ *
+ */
+
+#include <linux/init.h>
+
+#include "initcalls.h"
+
+/**
+ * integrity_device_init - device_initcalls for IMA/EVM
+ *
+ * This helper function wraps all of the device_initcalls for both IMA and EVM.
+ * It can be called multiple times, e.g. once from IMA and once from EVM,
+ * without problem as it maintains an internal static state variable which
+ * ensures that any setup/initialization is only done once.
+ */
+int __init integrity_device_init(void)
+{
+     int rc = 0, rc_tmp;
if none of the below config options are defined then rc_tmp is unused and the build can kick out with

../security/integrity/initcalls.c:21:21: error: unused variable ‘rc_tmp’ [-Werror=unused-variable]
Thanks.  I fixed this by adding a __maybe_unused annotation as that
seemed like the cleanest fix.

-- 
paul-moore.com
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help