[PATCH v3 0/3] security: Always enable integrity LSM

Roberto Sassu roberto.sassu at huaweicloud.com
Thu Mar 9 08:54:30 UTC 2023


From: Roberto Sassu <roberto.sassu at huawei.com>

Since the integrity (including IMA and EVM) functions are currently always
called by the LSM infrastructure, and always after all LSMs, formalize
these requirements by introducing a new LSM ordering called LSM_ORDER_LAST,
and set it for the 'integrity' LSM (patch 1).

Consequently, revert commit 92063f3ca73a ("integrity: double check
iint_cache was initialized"), as the double check becomes always verified
(patch 2), and remove 'integrity' from the list of LSMs in
security/Kconfig (patch 3).

Changelog:

v2:
- Fix commit message in patch 1 (suggested by Mimi)
- Bump version of patch 2 (v1 -> v3) to make one patch set
- Add patch 3 (suggested by Mimi)

v1:
- Add comment for LSM_ORDER_LAST definition (suggested by Mimi)
- Add Fixes tag (suggested by Mimi)
- Do minor corrections in the commit messages (suggested by Mimi and
  Stefan)

Roberto Sassu (3):
  security: Introduce LSM_ORDER_LAST and set it for the integrity LSM
  Revert "integrity: double check iint_cache was initialized"
  security: Remove integrity from the LSM list in Kconfig

 include/linux/lsm_hooks.h |  1 +
 security/Kconfig          | 10 +++++-----
 security/integrity/iint.c |  9 +--------
 security/security.c       | 12 +++++++++---
 4 files changed, 16 insertions(+), 16 deletions(-)

-- 
2.25.1



More information about the Linux-security-module-archive mailing list