[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <dd8a979df500489c0d8595f9a3f89c801ce6f1c2.camel@huaweicloud.com>
Date: Thu, 08 Feb 2024 09:05:54 +0100
From: Roberto Sassu <roberto.sassu@...weicloud.com>
To: Paul Moore <paul@...l-moore.com>, viro@...iv.linux.org.uk,
brauner@...nel.org, chuck.lever@...cle.com, jlayton@...nel.org,
neilb@...e.de, kolga@...app.com, Dai.Ngo@...cle.com, tom@...pey.com,
jmorris@...ei.org, serge@...lyn.com, zohar@...ux.ibm.com,
dmitry.kasatkin@...il.com, eric.snowberg@...cle.com, dhowells@...hat.com,
jarkko@...nel.org, stephen.smalley.work@...il.com, eparis@...isplace.org,
casey@...aufler-ca.com, shuah@...nel.org, mic@...ikod.net
Cc: linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
linux-nfs@...r.kernel.org, linux-security-module@...r.kernel.org,
linux-integrity@...r.kernel.org, keyrings@...r.kernel.org,
selinux@...r.kernel.org, linux-kselftest@...r.kernel.org, Roberto Sassu
<roberto.sassu@...wei.com>
Subject: Re: [PATCH v9 0/25] security: Move IMA and EVM to the LSM
infrastructure
On Wed, 2024-02-07 at 22:18 -0500, Paul Moore wrote:
> On Jan 15, 2024 Roberto Sassu <roberto.sassu@...weicloud.com> wrote:
> >
> > IMA and EVM are not effectively LSMs, especially due to the fact that in
> > the past they could not provide a security blob while there is another LSM
> > active.
> >
> > That changed in the recent years, the LSM stacking feature now makes it
> > possible to stack together multiple LSMs, and allows them to provide a
> > security blob for most kernel objects. While the LSM stacking feature has
> > some limitations being worked out, it is already suitable to make IMA and
> > EVM as LSMs.
> >
> > The main purpose of this patch set is to remove IMA and EVM function calls,
> > hardcoded in the LSM infrastructure and other places in the kernel, and to
> > register them as LSM hook implementations, so that those functions are
> > called by the LSM infrastructure like other regular LSMs.
>
> Thanks Roberto, this is looking good. I appreciate all the work you've
> put into making this happen; when I first mentioned this idea I figured
> it would be something that would happen much farther into the future, I
> wasn't expecting to see you pick this up and put in the work to make it
> happen - thank you.
Thanks! I also appreciate a lot your guidance and suggestions.
> I had some pretty minor comments but I think the only thing I saw that
> I think needs a change/addition is a comment in the Makefile regarding
> the IMA/EVM ordering; take a look and let me know what you think.
Oh, I remember well, it is there but difficult to spot...
--- a/security/integrity/Makefile
+++ b/security/integrity/Makefile
@@ -18,5 +18,6 @@ integrity-$(CONFIG_LOAD_IPL_KEYS) += platform_certs/load_ipl_s390.o
integrity-$(CONFIG_LOAD_PPC_KEYS) += platform_certs/efi_parser.o \
platform_certs/load_powerpc.o \
platform_certs/keyring_handler.o
+# The relative order of the 'ima' and 'evm' LSMs depends on the order below.
obj-$(CONFIG_IMA) += ima/
obj-$(CONFIG_EVM) += evm/
> There are also a few patches in the patchset that don't have an
> ACK/review tag from Mimi, although now that you are co-maininting IMA/EVM
> with Mimi I don't know if that matters. If the two of you can let me
> know how you want me to handle LSM patches that are IMA/EVM related I
> would appreciate it (two ACKs, one or other, something else?).
Ok, we will come back to you about this.
> Once you add a Makefile commane and we sort out the IMA/EVM approval
> process I think we're good to get this into linux-next. A while back
> Mimi and I had a chat offline and if I recall everything correctly she
> preferred that I take this patchset via the LSM tree. I don't have a
> problem with that, and to be honest I would probably prefer
> that too, but I wanted to check with everyone that is still the case.
> Just in case, I've added my ACKs/reviews to this patchset in case this
> needs to be merged via the integrity tree.
Ok, given that there is the comment in the Makefile, the last thing to
do from your side is to remove the vague comment in the file_release
patch.
Other than that, I think Mimi wanted to give a last look. If that is
ok, then the patches should be ready for your repo and linux-next.
Thanks
Roberto
Powered by blists - more mailing lists