[PATCH] ima,evm: move initcalls to the LSM framework
Roberto Sassu
roberto.sassu at huaweicloud.com
Tue Sep 9 07:47:47 UTC 2025
On Mon, 2025-09-08 at 17:04 -0400, Paul Moore wrote:
> On Sun, Sep 7, 2025 at 10:46 PM Mimi Zohar <zohar at linux.ibm.com> wrote:
> > On Sun, 2025-09-07 at 21:08 -0400, Paul Moore wrote:
> > > On Sun, Sep 7, 2025 at 5:18 PM Mimi Zohar <zohar at linux.ibm.com> wrote:
> > > > On Tue, 2025-09-02 at 14:54 +0200, Roberto Sassu wrote:
> > > > > From: Paul Moore <paul at paul-moore.com>
> > > >
> > > > Remove above ...
> > > >
> > > > >
> > > > > This patch converts IMA and EVM to use the LSM frameworks's initcall
> > > > > mechanism. It moved the integrity_fs_init() call to ima_fs_init() and
> > > > > evm_init_secfs(), to work around the fact that there is no "integrity" LSM,
> > > > > and introduced integrity_fs_fini() to remove the integrity directory, if
> > > > > empty. Both integrity_fs_init() and integrity_fs_fini() support the
> > > > > scenario of being called by both the IMA and EVM LSMs.
> > > > >
> > > > > It is worth mentioning that this patch does not touch any of the
> > > > > "platform certs" code that lives in the security/integrity/platform_certs
> > > > > directory as the IMA/EVM maintainers have assured me that this code is
> > > > > unrelated to IMA/EVM, despite the location, and will be moved to a more
> > > >
> > > > This wording "unrelated to IMA/EVM" was taken from Paul's patch description, but
> > > > needs to be tweaked. Please refer to my comment on Paul's patch.
> > >
> > > Minim, Roberto, would both of you be okay if I changed the second
> > > paragraph to read as follows:
> > >
> > > "This patch does not touch any of the platform certificate code that
> > > lives under the security/integrity/platform_certs directory as the
> > > IMA/EVM developers would prefer to address that in a future patchset."
> >
> > That's fine.
>
> Roberto, is it okay if I update your patch with the text above and use
> it to replace my IMA/EVM patch in the LSM init patchset? I'll retain
> your From/Sign-off of course.
Yes, absolutely!
Roberto
More information about the Linux-security-module-archive
mailing list