Disassociating ima_filter_rule* from security_audit_rule*

Paul Moore paul at paul-moore.com
Thu Nov 4 18:57:28 UTC 2021


On Thu, Nov 4, 2021 at 1:35 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
>
> After the last round of comments on the LSM stacking patches
> Dmitry Mastykin <dmastykin at astralinux.ru> pointed out a
> conundrum with reuse of the security_audit_rule functions
> in integrity rule processing. The audit system wants to
> match rules for any security module that as one. The
> integrity system wants to match rules for a single, explicitly
> defined LSM. The two sub-systems use common code in security.c
> which needs to be changed to support multiple LSMs, but needs
> to be changed differently for each of these cases. While it
> would be possible to create frankensteinish versions of the
> security_audit_rule functions that would handle both cases
> it seems that creating "real" versions of the ima_filter_rule
> functions would be considerably cleaner and easier to maintain
> going forward.
>
> I'm suggesting this now, while I'm still working on the patches,
> in case there's a solid reason that frankencode is absolutely
> everybody's favored approach. I plan to propose the disassociation
> as a patch separate from and in advance of the stacking series.

I'm not 100% clear on what you are talking about, but since you are
currently working on the next revision to the LSM stacking patchset
perhaps it's best to just wait and see what the code looks like.

-- 
paul moore
www.paul-moore.com



More information about the Linux-security-module-archive mailing list