[PATCH v5 0/6] evm: Prepare for moving to the LSM infrastructure
Mimi Zohar
zohar at linux.ibm.com
Wed Nov 23 12:28:19 UTC 2022
Hi Roberto,
On Wed, 2022-11-23 at 10:51 +0100, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu at huawei.com>
>
> One of the challenges that must be tackled to move IMA and EVM to the LSM
> infrastructure is to ensure that EVM is capable to correctly handle
> multiple stacked LSMs providing an xattr at file creation. At the moment,
> there are few issues that would prevent a correct integration. This patch
> set aims at solving them.
Let's take a step back and understand the purpose of this patch set.
Regardless of whether IMA and EVM are moved to the "LSM
infrastructure", EVM needs to support per LSM xattrs. A side affect is
the removal of the security_old_inode_init_security hook. This patch
set cover letter and patch descriptions should be limited to EVM
support for per LSM (multiple) xattrs. The motivation, concerns, and
problems of making IMA and EVM LSMs will be documented in the patch set
that actual makes them LSMs. Please remove all references to "move IMA
and EVM to the LSM infrastructure".
When EVM was upstreamed, there were filesystem limitations on the
number and size of the extended attributes. In addition there were
performance concerns, which resulted in staging the LSM, IMA and EVM
xattrs, before calling initxattrs to write them at the same time. With
this patch set, not only are per LSM xattrs supported, but multiple per
LSM xattrs are supported as well. Have the size limitation concerns
been addressed by the different filesystems? If not, then at minimum
this patch set needs to at least mention it and the possible
ramifications.
--
thanks,
Mimi
More information about the Linux-security-module-archive
mailing list