[PATCH v15 00/11] LSM: Three basic syscalls

Paul Moore paul at paul-moore.com
Wed Oct 18 20:40:16 UTC 2023


On Wed, Oct 18, 2023 at 4:23 PM Mimi Zohar <zohar at linux.ibm.com> wrote:
> On Wed, 2023-10-18 at 12:35 -0400, Paul Moore wrote:
> > On Wed, Oct 18, 2023 at 10:15 AM Roberto Sassu
> > <roberto.sassu at huaweicloud.com> wrote:
> > > On 10/18/2023 3:09 PM, Mimi Zohar wrote:
> >
> > ...
> >
> > > > I agree with Roberto.  All three should be defined: LSM_ID_INTEGRITY,
> > > > LSM_ID_IMA, LSM_ID_EVM.
> > >
> > > I did not try yet, but the 'integrity' LSM does not need an LSM ID. With
> > > the last version adding hooks to 'ima' or 'evm', it should be sufficient
> > > to keep DEFINE_LSM(integrity) with the request to store a pointer in the
> > > security blob (even the init function can be a dummy function).
> >
> > First off, this *really* should have been brought up way, way, *way*
> > before now.  This patchset has been discussed for months, and bringing
> > up concerns in the eleventh hour is borderline rude.
>
> As everyone knows IMA and EVM are not LSMs at this point.

Considering all the work Roberto has been doing to make that happen,
not to mention the discussions we've had on this topic, that's an
awfully small technicality to use as the basis of an argument.

> So the only thing that is "rude" is the way you're responding in this
> thread.

Agree to disagree.

> > At least we haven't shipped this in a tagged release from Linus yet,
> > so there is that.
>
> What does that have to do with anything?!  Code changes.

Code can change, Linux kernel APIs should not change.

-- 
paul-moore.com



More information about the Linux-security-module-archive mailing list