On Wed, May 14, 2025 at 9:06 AM John Johansen
<john.johan...@canonical.com> wrote:
> On 4/9/25 11:50, Paul Moore wrote:
> > This patch converts IMA and EVM to use the LSM frameworks's initcall
> > mechanism. There were two challenges to doing this conversion: the
> > first simply being the number of initcalls across IMA and EVM, and the
> > second was the number of resources shared between the two related,
> > yet independent LSMs.
> >
> > The first problem was resolved by the creation of two new functions,
> > integrity_device_init() and integrity_late_init(), with each focused on
> > calling all of the various IMA/EVM initcalls for a single initcall type.
> > The second problem was resolved by registering both of these new
> > functions as initcalls for each LSM and including code in each
> > registered initcall to ensure it only executes once.
> >
> > Signed-off-by: Paul Moore <p...@paul-moore.com>
> > ---
> > security/integrity/Makefile | 2 +-
> > security/integrity/evm/evm_main.c | 7 +-
> > security/integrity/iint.c | 4 +-
> > security/integrity/ima/ima_main.c | 7 +-
> > security/integrity/ima/ima_mok.c | 4 +-
> > security/integrity/initcalls.c | 97 +++++++++++++++++++
> > security/integrity/initcalls.h | 23 +++++
> > .../integrity/platform_certs/load_ipl_s390.c | 4 +-
> > .../integrity/platform_certs/load_powerpc.c | 4 +-
> > security/integrity/platform_certs/load_uefi.c | 4 +-
> > .../platform_certs/machine_keyring.c | 4 +-
> > .../platform_certs/platform_keyring.c | 14 ++-
> > 12 files changed, 147 insertions(+), 27 deletions(-)
> > create mode 100644 security/integrity/initcalls.c
> > create mode 100644 security/integrity/initcalls.h
...
> > diff --git a/security/integrity/initcalls.c b/security/integrity/initcalls.c
> > new file mode 100644
> > index 000000000000..de39754a1c2c
> > --- /dev/null
> > +++ b/security/integrity/initcalls.c
> > @@ -0,0 +1,97 @@
> > +// SPDX-License-Identifier: GPL-2.0+
> > +/*
> > + * Platform certificate / keyring initcalls
> > + *
> > + */
> > +
> > +#include <linux/init.h>
> > +
> > +#include "initcalls.h"
> > +
> > +/**
> > + * integrity_device_init - device_initcalls for IMA/EVM
> > + *
> > + * This helper function wraps all of the device_initcalls for both IMA and
> > EVM.
> > + * It can be called multiple times, e.g. once from IMA and once from EVM,
> > + * without problem as it maintains an internal static state variable which
> > + * ensures that any setup/initialization is only done once.
> > + */
> > +int __init integrity_device_init(void)
> > +{
> > + int rc = 0, rc_tmp;
> if none of the below config options are defined then rc_tmp is unused and the
> build can kick out with
>
> ../security/integrity/initcalls.c:21:21: error: unused variable ‘rc_tmp’
> [-Werror=unused-variable]
Thanks. I fixed this by adding a __maybe_unused annotation as that
seemed like the cleanest fix.
--
paul-moore.com
