lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhRu-_v19zWS0Pm0-4E-PWONcfR1-=Ekz9ObuOAgL0Y+sA@mail.gmail.com>
Date: Thu, 8 Feb 2024 09:16:48 -0500
From: Paul Moore <paul@...l-moore.com>
To: Roberto Sassu <roberto.sassu@...weicloud.com>
Cc: viro@...iv.linux.org.uk, brauner@...nel.org, chuck.lever@...cle.com, 
	jlayton@...nel.org, neilb@...e.de, kolga@...app.com, Dai.Ngo@...cle.com, 
	tom@...pey.com, jmorris@...ei.org, serge@...lyn.com, zohar@...ux.ibm.com, 
	dmitry.kasatkin@...il.com, eric.snowberg@...cle.com, dhowells@...hat.com, 
	jarkko@...nel.org, stephen.smalley.work@...il.com, eparis@...isplace.org, 
	casey@...aufler-ca.com, shuah@...nel.org, mic@...ikod.net, 
	linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, 
	linux-nfs@...r.kernel.org, linux-security-module@...r.kernel.org, 
	linux-integrity@...r.kernel.org, keyrings@...r.kernel.org, 
	selinux@...r.kernel.org, linux-kselftest@...r.kernel.org, 
	Roberto Sassu <roberto.sassu@...wei.com>
Subject: Re: [PATCH v9 0/25] security: Move IMA and EVM to the LSM infrastructure

On Thu, Feb 8, 2024 at 3:06 AM Roberto Sassu
<roberto.sassu@...weicloud.com> wrote:
> On Wed, 2024-02-07 at 22:18 -0500, Paul Moore wrote:

..

> > I had some pretty minor comments but I think the only thing I saw that
> > I think needs a change/addition is a comment in the Makefile regarding
> > the IMA/EVM ordering; take a look and let me know what you think.
>
> Oh, I remember well, it is there but difficult to spot...
>
> --- a/security/integrity/Makefile
> +++ b/security/integrity/Makefile
> @@ -18,5 +18,6 @@ integrity-$(CONFIG_LOAD_IPL_KEYS) += platform_certs/load_ipl_s390.o
>  integrity-$(CONFIG_LOAD_PPC_KEYS) += platform_certs/efi_parser.o \
>                                       platform_certs/load_powerpc.o \
>                                       platform_certs/keyring_handler.o
> +# The relative order of the 'ima' and 'evm' LSMs depends on the order below.
>  obj-$(CONFIG_IMA)                      += ima/
>  obj-$(CONFIG_EVM)                      += evm/

Great, thanks for that.  Not sure how I missed that ... ?

> > Once you add a Makefile commane and we sort out the IMA/EVM approval
> > process I think we're good to get this into linux-next.  A while back
> > Mimi and I had a chat offline and if I recall everything correctly she
> > preferred that I take this patchset via the LSM tree.  I don't have a
> > problem with that, and to be honest I would probably prefer
> > that too, but I wanted to check with everyone that is still the case.
> > Just in case, I've added my ACKs/reviews to this patchset in case this
> > needs to be merged via the integrity tree.
>
> Ok, given that there is the comment in the Makefile, the last thing to
> do from your side is to remove the vague comment in the file_release
> patch.
>
> Other than that, I think Mimi wanted to give a last look. If that is
> ok, then the patches should be ready for your repo and linux-next.

If Mimi is okay with the patchset as-is, and both of you would prefer
this to in via the LSM tree, don't worry about the file_release
comment, I'll just remove that when merging.

-- 
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ