[PATCH v4 31/34] ima,evm: move initcalls to the LSM framework
Paul Moore
paul at paul-moore.com
Wed Oct 1 17:23:16 UTC 2025
On Wed, Oct 1, 2025 at 1:04 PM Mimi Zohar <zohar at linux.ibm.com> wrote:
> On Tue, 2025-09-30 at 16:11 -0400, Paul Moore wrote:
> > On Tue, Sep 16, 2025 at 6:14 PM Paul Moore <paul at paul-moore.com> wrote:
> > >
> > > From: Roberto Sassu <roberto.sassu at huawei.com>
> > >
> > > This patch converts IMA and EVM to use the LSM frameworks's initcall
> > > mechanism. It moved the integrity_fs_init() call to ima_fs_init() and
> > > evm_init_secfs(), to work around the fact that there is no "integrity" LSM,
> > > and introduced integrity_fs_fini() to remove the integrity directory, if
> > > empty. Both integrity_fs_init() and integrity_fs_fini() support the
> > > scenario of being called by both the IMA and EVM LSMs.
> > >
> > > This patch does not touch any of the platform certificate code that
> > > lives under the security/integrity/platform_certs directory as the
> > > IMA/EVM developers would prefer to address that in a future patchset.
> > >
> > > Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
> > > [PM: adjust description as discussed over email]
> > > Signed-off-by: Paul Moore <paul at paul-moore.com>
> > > ---
> > > security/integrity/evm/evm_main.c | 3 +--
> > > security/integrity/evm/evm_secfs.c | 11 +++++++++--
> > > security/integrity/iint.c | 14 ++++++++++++--
> > > security/integrity/ima/ima_fs.c | 11 +++++++++--
> > > security/integrity/ima/ima_main.c | 4 ++--
> > > security/integrity/integrity.h | 2 ++
> > > 6 files changed, 35 insertions(+), 10 deletions(-)
> >
> > I appreciate you reviewing most (all?) of the other patches in this
> > patchset, but any chance you could review the IMA/EVM from Roberto?
> > This is the only patch that really needs your review ...
>
> I've already reviewed the patch, just not Acked it yet. I'll hopefully get to
> testing it later this week or next week.
As mentioned off-list, a review-by tag is worthless if you want me to
hold it for your ACK. When I'm asking you for a review on code which
you maintain, I'm asking for your go/no-go on the patch for merging;
that's an ACK.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list