[RFC 0/2] ima: evm: Add kernel cmdline options to disable IMA/EVM
Song Liu
songliubraving at meta.com
Wed Dec 18 16:48:46 UTC 2024
> On Dec 18, 2024, at 8:42 AM, Casey Schaufler <casey at schaufler-ca.com> wrote:
>
> On 12/17/2024 10:41 PM, Song Liu wrote:
>>> On Dec 17, 2024, at 3:33 PM, Song Liu <songliubraving at meta.com> wrote:
>> [...]
>>
>>>>> +
>>>>> found = true;
>>>>> }
>>>>> }
>>>>> @@ -386,7 +389,7 @@ static void __init ordered_lsm_parse(const char *order, const char *origin)
>>>>>
>>>>> /* LSM_ORDER_LAST is always last. */
>>>>> for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
>>>>> - if (lsm->order == LSM_ORDER_LAST)
>>>>> + if (lsm->order == LSM_ORDER_LAST && is_enabled(lsm))
>>>>> append_ordered_lsm(lsm, " last");
>>> Before this change, lsm with order==LSM_ORDER_LAST is always considered
>>> enabled, which is a bug (if I understand you and Casey correctly).
>> According to commit 42994ee3cd7298b27698daa6848ed7168e72d056, LSMs with
>> order LSM_ORDER_LAST is expected to be always enabled:
>>
>> "Similarly to LSM_ORDER_FIRST, LSMs with LSM_ORDER_LAST are always enabled
>> and put at the end of the LSM list, if selected in the kernel
>> configuration. "
>>
>> Roberto, it feels weird to have two "last and always on" LSMs (ima and evm)
>> I guess this is not the expected behavior? At least, it appears to be a
>> surprise for Paul and Casey.
>
> I can't speak for Paul, but having multiple "first" and "last" entries
> comes as no surprise to me. We should probably have used LSM_ORDER_EARLY
> and LSM_ORDER_LATE instead of LSM_ORDER_FIRST and LSM_ORDER_LAST. As for
> "always on", I recall that being an artifact of compatibility for the
> security= boot option.
Yes, _LATE makes more sense than _LAST. _LAST is a bit weird, but not
surprising.
By "surprise to you and Paul", I meant the "always on" part. It appears
to me that both you and Paul believed that ima and evm are only enabled
with proper lsm= cmdline. Or maybe I totally misunderstood your
comments?
Thanks,
Song
More information about the Linux-security-module-archive
mailing list