[PATCH v39 01/42] integrity: disassociate ima_filter_rule from security_audit_rule

Paul Moore paul at paul-moore.com
Fri Jun 21 21:18:50 UTC 2024 

On Fri, Jun 21, 2024 at 4:27 PM Mimi Zohar <zohar at linux.ibm.com> wrote:
> On Fri, 2024-06-21 at 15:07 -0400, Paul Moore wrote:
> > On Fri, Jun 21, 2024 at 12:50 PM Paul Moore <paul at paul-moore.com> wrote:
> > > On Fri, Dec 15, 2023 at 5:16 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
> > > > Create real functions for the ima_filter_rule interfaces.
> > > > These replace #defines that obscure the reuse of audit
> > > > interfaces. The new functions are put in security.c because
> > > > they use security module registered hooks that we don't
> > > > want exported.
> > > >
> > > > Acked-by: Paul Moore <paul at paul-moore.com>
> > > > Reviewed-by: John Johansen <john.johansen at canonical.com>
> > > > Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> > > > To: Mimi Zohar <zohar at linux.ibm.com>
> > > > Cc: linux-integrity at vger.kernel.org
> > > > ---
> > > >  include/linux/security.h     | 24 ++++++++++++++++++++++++
> > > >  security/integrity/ima/ima.h | 26 --------------------------
> > > >  security/security.c          | 21 +++++++++++++++++++++
> > > >  3 files changed, 45 insertions(+), 26 deletions(-)
> > >
> > > Mimi, Roberto, are you both okay if I merge this into the lsm/dev
> > > branch?  The #define approach taken with the ima_filter_rule_XXX
> > > macros likely contributed to the recent problem where the build
> > > problem caused by the new gfp_t parameter was missed during review;
> > > I'd like to get this into an upstream tree independent of the larger
> > > stacking effort as I believe it has standalone value.
> >
> > ... and I just realized neither Mimi or Roberto were directly CC'd on
> > that last email, oops.  Fixed.
>
> Paul, I do see things posted on the linux-integrity mailing list pretty quickly.
> Unfortunately, something came up midday and I'm just seeing this now.  As for
> Roberto, it's probably a time zone issue.

Oh, no worries at all, please don't take my comment above to mean I
was expecting an immediate response!  I try to make sure that if I'm
addressing someone directly that they are explicitly included on the
To/CC line.  I was writing another email and it occurred to me that I
didn't check for that when emailing the two of you, and sure enough,
you guys weren't on the To/CC line ... I was just trying to fix my
screw-up :)

> The patch looks ok, but I haven't had a chance to apply or test it.  I'll look
> at it over the weekend and get back to you.

No rush, enjoy your weekend, the patch isn't going to run away :)

-- 
paul-moore.com

More information about the Linux-security-module-archive mailing list