[PATCH] evm: Correct inode_init_security hooks behaviors
Casey Schaufler
casey at schaufler-ca.com
Tue Oct 25 15:06:06 UTC 2022
On 10/25/2022 7:21 AM, Mimi Zohar wrote:
> On Tue, 2022-10-25 at 15:33 +0200, Nicolas Bouchinet wrote:
>>> Agreed, independently as to whether BPF defines a security xattr, if
>>> two LSMs initialize security xattrs, then this change is needed. Are
>>> there any other examples?
>> I think that in its current state the kernel cannot load two LSM capable of xattr
>> initialization as they are all defined with the `LSM_FLAG_EXCLUSIVE` flag set.
>> But I may be unaware of other LSM in development stage.
> Casey, Paul, can we get confirmation on this?
I'm working really hard to eliminate LSM_FLAG_EXCLUSIVE. Dealing with
multiple security modules initializing security xattrs has been in the
stacking patch sets that have been in review for years now. So no,
you can't wave the problem away by pointing at LSM_FLAG_EXCLUSIVE.
>>> (nit: I understand the line size has generally been relaxed, but for
>>> IMA/EVM I would prefer it to be remain as 80 chars.)
>>>
>> No problem, will change it !
>>
>> I'll take time to run few tests with BPF and send a patch v3 with new changes.
> Since Roberto's patches will address the BPF bug(s), is this a fix for
> a real bug or a possbile future one. Cc'ing stable might not be
> necessary.
>
> thanks,
>
> Mimi
>
More information about the Linux-security-module-archive
mailing list