[PATCH] Smack modifications for: security: Allow all LSMs to provide xattrs for inode_init_security hook
Mimi Zohar
zohar at linux.ibm.com
Thu Apr 20 10:44:00 UTC 2023
On Thu, 2023-04-20 at 10:50 +0200, Roberto Sassu wrote:
> >
> > It's possible. It's been a long time since I've looked at this.
> > I'm tempted to take a change to make overlayfs work upstream and
> > then worry about the ima changes. There seems to be a lot more
> > going on with the ima changes than is obvious from what's in the
> > Smack code.
It doesn't sound like the patch set introduces the overlayfs bug.
The security_inode_init_security() change to initialize multiple LSMs
and IMA xattrs and include them in the EVM hmac calculation is straight
forward.
In addition, the patch set creates the infrastructure for allowing
multiple per LSM xattrs, as requested, to be initialized in
security_inode_init_security() and included in the EVM hmac.
Mimi
> We could also set only SMACK64 in smack_inode_init_security(), and move
> SMACKTRANSMUTE64 later, when we figure out how to fix the case of
> overlayfs.
>
> IMA and EVM would work in both cases.
More information about the Linux-security-module-archive
mailing list