[PATCH] lsm: drop LSM_ID_IMA

Casey Schaufler casey at schaufler-ca.com
Mon Oct 23 15:48:13 UTC 2023 

On 10/23/2023 8:20 AM, Roberto Sassu wrote:
> On 10/20/2023 11:56 PM, Casey Schaufler wrote:
>> On 10/19/2023 1:08 AM, Roberto Sassu wrote:
>>> On Wed, 2023-10-18 at 17:50 -0400, Paul Moore wrote:
>>>> When IMA becomes a proper LSM we will reintroduce an appropriate
>>>> LSM ID, but drop it from the userspace API for now in an effort
>>>> to put an end to debates around the naming of the LSM ID macro.
>>>>
>>>> Signed-off-by: Paul Moore <paul at paul-moore.com>
>>> Reviewed-by: Roberto Sassu <roberto.sassu at huawei.com>
>>>
>>> This makes sense according to the new goal of making 'ima' and 'evm' as
>>> standalone LSMs.
>>>
>>> Otherwise, if we took existing LSMs, we should have defined
>>> LSM_ID_INTEGRITY, associated to DEFINE_LSM(integrity).
>>>
>>> If we proceed with the new direction, I will add the new LSM IDs as
>>> soon as IMA and EVM become LSMs.
>>
>> This seems right to me. Thank You.
>
> Perfect! Is it fine to assign an LSM ID to 'ima' and 'evm' and keep
> the 'integrity' LSM to reserve space in the security blob without LSM
> ID (as long as it does not register any hook)?

That will work, although it makes me wonder if all the data in the 'integrity' blob
is used by both IMA and EVM. If these are going to be separate LSMs they should probably
have their own security blobs. If there is data in common then an 'integrity' blob can
still makes sense.

>
> Thanks
>
> Roberto
>
>>> Roberto
>>>
>>>> ---
>>>>   include/uapi/linux/lsm.h | 15 +++++++--------
>>>>   1 file changed, 7 insertions(+), 8 deletions(-)
>>>>
>>>> diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
>>>> index eeda59a77c02..f0386880a78e 100644
>>>> --- a/include/uapi/linux/lsm.h
>>>> +++ b/include/uapi/linux/lsm.h
>>>> @@ -54,14 +54,13 @@ struct lsm_ctx {
>>>>   #define LSM_ID_SELINUX        101
>>>>   #define LSM_ID_SMACK        102
>>>>   #define LSM_ID_TOMOYO        103
>>>> -#define LSM_ID_IMA        104
>>>> -#define LSM_ID_APPARMOR        105
>>>> -#define LSM_ID_YAMA        106
>>>> -#define LSM_ID_LOADPIN        107
>>>> -#define LSM_ID_SAFESETID    108
>>>> -#define LSM_ID_LOCKDOWN        109
>>>> -#define LSM_ID_BPF        110
>>>> -#define LSM_ID_LANDLOCK        111
>>>> +#define LSM_ID_APPARMOR        104
>>>> +#define LSM_ID_YAMA        105
>>>> +#define LSM_ID_LOADPIN        106
>>>> +#define LSM_ID_SAFESETID    107
>>>> +#define LSM_ID_LOCKDOWN        108
>>>> +#define LSM_ID_BPF        109
>>>> +#define LSM_ID_LANDLOCK        110
>>>>     /*
>>>>    * LSM_ATTR_XXX definitions identify different LSM attributes
>

More information about the Linux-security-module-archive mailing list