[PATCH] lsm: drop LSM_ID_IMA
Roberto Sassu
roberto.sassu at huaweicloud.com
Mon Oct 23 15:20:03 UTC 2023
On 10/20/2023 11:56 PM, Casey Schaufler wrote:
> On 10/19/2023 1:08 AM, Roberto Sassu wrote:
>> On Wed, 2023-10-18 at 17:50 -0400, Paul Moore wrote:
>>> When IMA becomes a proper LSM we will reintroduce an appropriate
>>> LSM ID, but drop it from the userspace API for now in an effort
>>> to put an end to debates around the naming of the LSM ID macro.
>>>
>>> Signed-off-by: Paul Moore <paul at paul-moore.com>
>> Reviewed-by: Roberto Sassu <roberto.sassu at huawei.com>
>>
>> This makes sense according to the new goal of making 'ima' and 'evm' as
>> standalone LSMs.
>>
>> Otherwise, if we took existing LSMs, we should have defined
>> LSM_ID_INTEGRITY, associated to DEFINE_LSM(integrity).
>>
>> If we proceed with the new direction, I will add the new LSM IDs as
>> soon as IMA and EVM become LSMs.
>
> This seems right to me. Thank You.
Perfect! Is it fine to assign an LSM ID to 'ima' and 'evm' and keep the
'integrity' LSM to reserve space in the security blob without LSM ID (as
long as it does not register any hook)?
Thanks
Roberto
>> Roberto
>>
>>> ---
>>> include/uapi/linux/lsm.h | 15 +++++++--------
>>> 1 file changed, 7 insertions(+), 8 deletions(-)
>>>
>>> diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
>>> index eeda59a77c02..f0386880a78e 100644
>>> --- a/include/uapi/linux/lsm.h
>>> +++ b/include/uapi/linux/lsm.h
>>> @@ -54,14 +54,13 @@ struct lsm_ctx {
>>> #define LSM_ID_SELINUX 101
>>> #define LSM_ID_SMACK 102
>>> #define LSM_ID_TOMOYO 103
>>> -#define LSM_ID_IMA 104
>>> -#define LSM_ID_APPARMOR 105
>>> -#define LSM_ID_YAMA 106
>>> -#define LSM_ID_LOADPIN 107
>>> -#define LSM_ID_SAFESETID 108
>>> -#define LSM_ID_LOCKDOWN 109
>>> -#define LSM_ID_BPF 110
>>> -#define LSM_ID_LANDLOCK 111
>>> +#define LSM_ID_APPARMOR 104
>>> +#define LSM_ID_YAMA 105
>>> +#define LSM_ID_LOADPIN 106
>>> +#define LSM_ID_SAFESETID 107
>>> +#define LSM_ID_LOCKDOWN 108
>>> +#define LSM_ID_BPF 109
>>> +#define LSM_ID_LANDLOCK 110
>>>
>>> /*
>>> * LSM_ATTR_XXX definitions identify different LSM attributes
More information about the Linux-security-module-archive
mailing list