lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 Oct 2022 09:24:05 -0400 From: Mimi Zohar <zohar@...ux.ibm.com> To: Christian Brauner <brauner@...nel.org>, Kees Cook <keescook@...omium.org> Cc: Dmitry Kasatkin <dmitry.kasatkin@...il.com>, Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, Borislav Petkov <bp@...e.de>, Jonathan McDowell <noodles@...com>, Takashi Iwai <tiwai@...e.de>, Petr Vorel <pvorel@...e.cz>, linux-integrity@...r.kernel.org, linux-security-module@...r.kernel.org, Mickaël Salaün <mic@...ikod.net>, KP Singh <kpsingh@...nel.org>, Casey Schaufler <casey@...aufler-ca.com>, John Johansen <john.johansen@...onical.com>, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org Subject: Re: [PATCH 3/9] ima: Move xattr hooks into LSM On Tue, 2022-10-18 at 17:07 +0200, Christian Brauner wrote: > On Thu, Oct 13, 2022 at 03:36:48PM -0700, Kees Cook wrote: > > Move the xattr IMA hooks into normal LSM layer. As with SELinux and > > Smack, handle calling cap_inode_setxattr() internally. > > > > Cc: Mimi Zohar <zohar@...ux.ibm.com> > > Cc: Dmitry Kasatkin <dmitry.kasatkin@...il.com> > > Cc: Paul Moore <paul@...l-moore.com> > > Cc: James Morris <jmorris@...ei.org> > > Cc: "Serge E. Hallyn" <serge@...lyn.com> > > Cc: Borislav Petkov <bp@...e.de> > > Cc: Jonathan McDowell <noodles@...com> > > Cc: Takashi Iwai <tiwai@...e.de> > > Cc: Petr Vorel <pvorel@...e.cz> > > Cc: linux-integrity@...r.kernel.org > > Cc: linux-security-module@...r.kernel.org > > Signed-off-by: Kees Cook <keescook@...omium.org> > > --- > > I like that changes obviously but in general, does IMA depend on being > called _after_ all other LSMs or is this just a historical artifact? Calculating the EVM HMAC must be last, after the other security xattrs have been updated. -- thanks, Mimi
Powered by blists - more mailing lists