[RFC 0/2] ima: evm: Add kernel cmdline options to disable IMA/EVM
Song Liu
songliubraving at meta.com
Tue Dec 17 22:02:26 UTC 2024
> On Dec 17, 2024, at 1:29 PM, Casey Schaufler <casey at schaufler-ca.com> wrote:
>
> On 12/17/2024 12:25 PM, Song Liu wrote:
>> While reading and testing LSM code, I found IMA/EVM consume per inode
>> storage even when they are not in use. Add options to diable them in
>> kernel command line. The logic and syntax is mostly borrowed from an
>> old serious [1].
>
> Why not omit ima and evm from the lsm= parameter?
Both ima and evm have LSM_ORDER_LAST, so they are not controlled
by lsm= parameter. But we can probably change this behavior in
ordered_lsm_parse(), so that ima and evm are controlled by lsm=.
Thanks,
Song
>
>>
>> [1] https://lore.kernel.org/lkml/cover.1398259638.git.d.kasatkin@samsung.com/
>>
>> Song Liu (2):
>> ima: Add kernel parameter to disable IMA
>> evm: Add kernel parameter to disable EVM
>>
>> security/integrity/evm/evm.h | 6 ++++++
>> security/integrity/evm/evm_main.c | 22 ++++++++++++++--------
>> security/integrity/evm/evm_secfs.c | 3 ++-
>> security/integrity/ima/ima_main.c | 13 +++++++++++++
>> 4 files changed, 35 insertions(+), 9 deletions(-)
>>
>> --
>> 2.43.5
>>
More information about the Linux-security-module-archive
mailing list