[PATCH] ima,evm: move initcalls to the LSM framework
Paul Moore
paul at paul-moore.com
Mon Sep 8 01:08:19 UTC 2025
On Sun, Sep 7, 2025 at 5:18 PM Mimi Zohar <zohar at linux.ibm.com> wrote:
>
> On Tue, 2025-09-02 at 14:54 +0200, Roberto Sassu wrote:
> > From: Paul Moore <paul at paul-moore.com>
>
> Remove above ...
>
> >
> > This patch converts IMA and EVM to use the LSM frameworks's initcall
> > mechanism. It moved the integrity_fs_init() call to ima_fs_init() and
> > evm_init_secfs(), to work around the fact that there is no "integrity" LSM,
> > and introduced integrity_fs_fini() to remove the integrity directory, if
> > empty. Both integrity_fs_init() and integrity_fs_fini() support the
> > scenario of being called by both the IMA and EVM LSMs.
> >
> > It is worth mentioning that this patch does not touch any of the
> > "platform certs" code that lives in the security/integrity/platform_certs
> > directory as the IMA/EVM maintainers have assured me that this code is
> > unrelated to IMA/EVM, despite the location, and will be moved to a more
>
> This wording "unrelated to IMA/EVM" was taken from Paul's patch description, but
> needs to be tweaked. Please refer to my comment on Paul's patch.
Minim, Roberto, would both of you be okay if I changed the second
paragraph to read as follows:
"This patch does not touch any of the platform certificate code that
lives under the security/integrity/platform_certs directory as the
IMA/EVM developers would prefer to address that in a future patchset."
> > relevant subsystem in the future.
> >
> > Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
>
> Reviewed-by: Mimi Zohar <zohar at linux.ibm.com>, but not yet tested.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list