kernel/security/integrity/evm/evm_main.c, branch linux-rolling-stable

ima,evm: move initcalls to the LSM framework

2025-10-22T23:24:27Z

This patch converts IMA and EVM to use the LSM frameworks's initcall mechanism. It moved the integrity_fs_init() call to ima_fs_init() and evm_init_secfs(), to work around the fact that there is no "integrity" LSM, and introduced integrity_fs_fini() to remove the integrity directory, if empty. Both integrity_fs_init() and integrity_fs_fini() support the scenario of being called by both the IMA and EVM LSMs. This patch does not touch any of the platform certificate code that lives under the security/integrity/platform_certs directory as the IMA/EVM developers would prefer to address that in a future patchset. Signed-off-by: Roberto Sassu Acked-by: Mimi Zohar [PM: adjust description as discussed over email] Signed-off-by: Paul Moore

lsm: replace the name field with a pointer to the lsm_id struct

2025-10-22T23:24:18Z

Reduce the duplication between the lsm_id struct and the DEFINE_LSM() definition by linking the lsm_id struct directly into the individual LSM's DEFINE_LSM() instance. Linking the lsm_id into the LSM definition also allows us to simplify the security_add_hooks() function by removing the code which populates the lsm_idlist[] array and moving it into the normal LSM startup code where the LSM list is parsed and the individual LSMs are enabled, making for a cleaner implementation with less overhead at boot. Reviewed-by: Kees Cook Reviewed-by: John Johansen Reviewed-by: Casey Schaufler Reviewed-by: Mimi Zohar Signed-off-by: Paul Moore

integrity: fix typos and spelling errors

2025-02-05T02:36:43Z

Fix typos and spelling errors in integrity module comments that were identified using the codespell tool. No functional changes - documentation only. Signed-off-by: Tanya Agarwal Reviewed-by: Mimi Zohar Signed-off-by: Mimi Zohar

evm: stop avoidably reading i_writecount in evm_file_release

2024-10-10T02:49:40Z

The EVM_NEW_FILE flag is unset if the file already existed at the time of open and this can be checked without looking at i_writecount. Not accessing it reduces traffic on the cacheline during parallel open of the same file and drop the evm_file_release routine from second place to bottom of the profile. Fixes: 75a323e604fc ("evm: Make it independent from 'integrity' LSM") Signed-off-by: Mateusz Guzik Reviewed-by: Roberto Sassu Cc: stable@vger.kernel.org # 6.9+ Signed-off-by: Mimi Zohar

lsm: Refactor return value of LSM hook inode_copy_up_xattr

2024-07-31T18:47:09Z

To be consistent with most LSM hooks, convert the return value of hook inode_copy_up_xattr to 0 or a negative error code. Before: - Hook inode_copy_up_xattr returns 0 when accepting xattr, 1 when discarding xattr, -EOPNOTSUPP if it does not know xattr, or any other negative error code otherwise. After: - Hook inode_copy_up_xattr returns 0 when accepting xattr, *-ECANCELED* when discarding xattr, -EOPNOTSUPP if it does not know xattr, or any other negative error code otherwise. Signed-off-by: Xu Kuohai Reviewed-by: Casey Schaufler Signed-off-by: Paul Moore

evm: Rename is_unsupported_fs to is_unsupported_hmac_fs

2024-04-09T21:14:58Z

Rename is_unsupported_fs to is_unsupported_hmac_fs since now only HMAC is unsupported. Co-developed-by: Mimi Zohar Signed-off-by: Stefan Berger Signed-off-by: Mimi Zohar

fs: Rename SB_I_EVM_UNSUPPORTED to SB_I_EVM_HMAC_UNSUPPORTED

2024-04-09T21:14:58Z

Now that EVM supports RSA signatures for previously completely unsupported filesystems rename the flag SB_I_EVM_UNSUPPORTED to SB_I_EVM_HMAC_UNSUPPORTED to reflect that only HMAC is not supported. Suggested-by: Amir Goldstein Suggested-by: Mimi Zohar Signed-off-by: Stefan Berger Acked-by: Amir Goldstein Signed-off-by: Mimi Zohar

evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509

2024-04-09T21:14:57Z

Unsupported filesystems currently do not enforce any signatures. Add support for signature enforcement of the "original" and "portable & immutable" signatures when EVM_INIT_X509 is enabled. The "original" signature type contains filesystem specific metadata. Thus it cannot be copied up and verified. However with EVM_INIT_X509 and EVM_ALLOW_METADATA_WRITES enabled, the "original" file signature may be written. When EVM_ALLOW_METADATA_WRITES is not set or once it is removed from /sys/kernel/security/evm by setting EVM_INIT_HMAC for example, it is not possible to write or remove xattrs on the overlay filesystem. This change still prevents EVM from writing HMAC signatures on unsupported filesystem when EVM_INIT_HMAC is enabled. Co-developed-by: Mimi Zohar Signed-off-by: Stefan Berger Signed-off-by: Mimi Zohar

evm: Store and detect metadata inode attributes changes

2024-04-09T21:14:57Z

On stacked filesystem the metadata inode may be different than the one file data inode and therefore changes to it need to be detected independently. Therefore, store the i_version, device number, and inode number associated with the file metadata inode. Implement a function to detect changes to the inode and if a change is detected reset the evm_status. This function will be called by IMA when IMA detects that the metadata inode is different from the file's inode. Co-developed-by: Mimi Zohar Signed-off-by: Stefan Berger Signed-off-by: Mimi Zohar

evm: Implement per signature type decision in security_inode_copy_up_xattr

2024-04-09T21:14:57Z

To support "portable and immutable signatures" on otherwise unsupported filesystems, determine the EVM signature type by the content of a file's xattr. If the file has the appropriate signature type then allow it to be copied up. All other signature types are discarded as before. "Portable and immutable" EVM signatures can be copied up by stacked file- system since the metadata their signature covers does not include file- system-specific data such as a file's inode number, generation, and UUID. Co-developed-by: Mimi Zohar Signed-off-by: Stefan Berger Signed-off-by: Mimi Zohar