[PATCH v10 0/25] security: Move IMA and EVM to the LSM infrastructure

Roberto Sassu roberto.sassu at huaweicloud.com
Fri Feb 16 07:54:35 UTC 2024


On Thu, 2024-02-15 at 23:43 -0500, Paul Moore wrote:
> On Feb 15, 2024 Roberto Sassu <roberto.sassu at huaweicloud.com> wrote:
> > 
> > IMA and EVM are not effectively LSMs, especially due to the fact that in
> > the past they could not provide a security blob while there is another LSM
> > active.
> > 
> > That changed in the recent years, the LSM stacking feature now makes it
> > possible to stack together multiple LSMs, and allows them to provide a
> > security blob for most kernel objects. While the LSM stacking feature has
> > some limitations being worked out, it is already suitable to make IMA and
> > EVM as LSMs.
> > 
> > The main purpose of this patch set is to remove IMA and EVM function calls,
> > hardcoded in the LSM infrastructure and other places in the kernel, and to
> > register them as LSM hook implementations, so that those functions are
> > called by the LSM infrastructure like other regular LSMs.
> 
> As discussed earlier, I've just merged this into the lsm/dev tree; a big
> thank you to Roberto for working on this and to all helped along the way
> with reviews, testing, etc.  I've wanted to see IMA/EVM integrated as
> proper LSMs for a while and I'm very happy to finally see it happening.

Thank you, and thanks to all! That's an excellent news! Excited about
that!

> Mimi, Roberto, I'm going to hold off on merging anything into the lsm/dev
> tree for a few days in case you decide you would prefer to take these
> patches yourselves.  If I don't hear anything from the two of you, I'll
> plan to send these to Linus during the next merge window.

Perfect!

Roberto




More information about the Linux-security-module-archive mailing list