[PATCH v10 0/25] security: Move IMA and EVM to the LSM infrastructure
Paul Moore
paul at paul-moore.com
Fri Feb 16 04:43:36 UTC 2024
On Feb 15, 2024 Roberto Sassu <roberto.sassu at huaweicloud.com> wrote:
>
> IMA and EVM are not effectively LSMs, especially due to the fact that in
> the past they could not provide a security blob while there is another LSM
> active.
>
> That changed in the recent years, the LSM stacking feature now makes it
> possible to stack together multiple LSMs, and allows them to provide a
> security blob for most kernel objects. While the LSM stacking feature has
> some limitations being worked out, it is already suitable to make IMA and
> EVM as LSMs.
>
> The main purpose of this patch set is to remove IMA and EVM function calls,
> hardcoded in the LSM infrastructure and other places in the kernel, and to
> register them as LSM hook implementations, so that those functions are
> called by the LSM infrastructure like other regular LSMs.
As discussed earlier, I've just merged this into the lsm/dev tree; a big
thank you to Roberto for working on this and to all helped along the way
with reviews, testing, etc. I've wanted to see IMA/EVM integrated as
proper LSMs for a while and I'm very happy to finally see it happening.
Mimi, Roberto, I'm going to hold off on merging anything into the lsm/dev
tree for a few days in case you decide you would prefer to take these
patches yourselves. If I don't hear anything from the two of you, I'll
plan to send these to Linus during the next merge window.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list