On Wed, 2024-02-07 at 22:18 -0500, Paul Moore wrote:
On Jan 15, 2024 Roberto Sassu roberto.sassu@huaweicloud.com wrote:
IMA and EVM are not effectively LSMs, especially due to the fact that in the past they could not provide a security blob while there is another LSM active.
That changed in the recent years, the LSM stacking feature now makes it possible to stack together multiple LSMs, and allows them to provide a security blob for most kernel objects. While the LSM stacking feature has some limitations being worked out, it is already suitable to make IMA and EVM as LSMs.
The main purpose of this patch set is to remove IMA and EVM function calls, hardcoded in the LSM infrastructure and other places in the kernel, and to register them as LSM hook implementations, so that those functions are called by the LSM infrastructure like other regular LSMs.
Thanks Roberto, this is looking good. I appreciate all the work you've put into making this happen; when I first mentioned this idea I figured it would be something that would happen much farther into the future, I wasn't expecting to see you pick this up and put in the work to make it happen - thank you.
Thanks! I also appreciate a lot your guidance and suggestions.
I had some pretty minor comments but I think the only thing I saw that I think needs a change/addition is a comment in the Makefile regarding the IMA/EVM ordering; take a look and let me know what you think.
Oh, I remember well, it is there but difficult to spot...
--- a/security/integrity/Makefile +++ b/security/integrity/Makefile @@ -18,5 +18,6 @@ integrity-$(CONFIG_LOAD_IPL_KEYS) += platform_certs/load_ipl_s390.o integrity-$(CONFIG_LOAD_PPC_KEYS) += platform_certs/efi_parser.o \ platform_certs/load_powerpc.o \ platform_certs/keyring_handler.o +# The relative order of the 'ima' and 'evm' LSMs depends on the order below. obj-$(CONFIG_IMA) += ima/ obj-$(CONFIG_EVM) += evm/
There are also a few patches in the patchset that don't have an ACK/review tag from Mimi, although now that you are co-maininting IMA/EVM with Mimi I don't know if that matters. If the two of you can let me know how you want me to handle LSM patches that are IMA/EVM related I would appreciate it (two ACKs, one or other, something else?).
Ok, we will come back to you about this.
Once you add a Makefile commane and we sort out the IMA/EVM approval process I think we're good to get this into linux-next. A while back Mimi and I had a chat offline and if I recall everything correctly she preferred that I take this patchset via the LSM tree. I don't have a problem with that, and to be honest I would probably prefer that too, but I wanted to check with everyone that is still the case. Just in case, I've added my ACKs/reviews to this patchset in case this needs to be merged via the integrity tree.
Ok, given that there is the comment in the Makefile, the last thing to do from your side is to remove the vague comment in the file_release patch.
Other than that, I think Mimi wanted to give a last look. If that is ok, then the patches should be ready for your repo and linux-next.
Thanks
Roberto