[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <d5081ccecf3ffd5562d9a66a5663b236870605ce.camel@linux.ibm.com>
Date: Thu, 13 Oct 2022 21:16:31 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Paul Moore <paul@...l-moore.com>, Kees Cook <keescook@...omium.org>
Cc: Mickaël Salaün <mic@...ikod.net>,
KP Singh <kpsingh@...nel.org>,
Casey Schaufler <casey@...aufler-ca.com>,
John Johansen <john.johansen@...onical.com>,
James Morris <jmorris@...ei.org>, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-integrity@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH 0/9] integrity: Move hooks into LSM
On Thu, 2022-10-13 at 18:47 -0400, Paul Moore wrote:
> On Thu, Oct 13, 2022 at 6:36 PM Kees Cook <keescook@...omium.org> wrote:
> >
> > Hi,
> >
> > It's been over 4 years since LSM stack was introduced. The integrity
> > subsystem is long overdue for moving to this infrastructure. Here's my
> > first pass at converting integrity and ima (and some of evm) into LSM
> > hooks. This should be enough of an example to finish evm, and introduce
> > the missing hooks for both. For example, after this, it looks like ima
> > only has a couple places it's still doing things outside of the LSM. At
> > least these stood out:
> >
> > fs/namei.c: ima_post_create_tmpfile(mnt_userns, inode);
> > fs/namei.c: ima_post_path_mknod(mnt_userns, dentry);
> >
> > Mimi, can you please take this series and finish the conversion for
> > what's missing in ima and evm?
> >
> > I would also call attention to "175 insertions(+), 240 deletions(-)" --
> > as expected, this is a net reduction in code.
> >
> > Thanks!
>
> Without looking at any of the code, I just want to say this 100% gets
> my vote; this is something we need to make happen at some point.
>
> Thanks Kees!
Sorry I'm on vacation this week and the beginning of next week, but
will look at it when I get back.
Mimi
Powered by blists - more mailing lists