[RFC PATCH 25/29] ima,evm: move initcalls to the LSM framework
Mimi Zohar
zohar at linux.ibm.com
Fri May 30 22:03:35 UTC 2025
On Wed, 2025-04-09 at 14:50 -0400, Paul Moore wrote:
> This patch converts IMA and EVM to use the LSM frameworks's initcall
> mechanism. There were two challenges to doing this conversion: the
> first simply being the number of initcalls across IMA and EVM, and the
> second was the number of resources shared between the two related,
> yet independent LSMs.
There are a number of the initcalls under integrity/platform/, which load arch
specific keys onto the platform and machine keyrings, which shouldn't be
included in this patch.
>
> The first problem was resolved by the creation of two new functions,
> integrity_device_init() and integrity_late_init(), with each focused on
> calling all of the various IMA/EVM initcalls for a single initcall type.
> The second problem was resolved by registering both of these new
> functions as initcalls for each LSM and including code in each
> registered initcall to ensure it only executes once.
With the above change, there obviously will be a lot fewer initcalls, but it
might still make sense to keep the common ima/evm function.
Mimi
More information about the Linux-security-module-archive
mailing list