On Fri, 2018-11-02 at 13:49 -0700, Kees Cook wrote: > On Fri, Nov 2, 2018 at 11:13 AM, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > I don't recall why "integrity" is on the security_initcall, while both > > IMA and EVM are on the late_initcall(). > > It's because integrity needs to have a VFS buffer allocated extremely > early, so it used the security init to do it. While it's not an LSM, > it does use this part of LSM infrastructure. I didn't see an obvious > alternative at the time, but now that I think about it, maybe just a > simple postcore_initcall() would work? I was questioning why the "security_initcall", which is called after the late_initcall. Moving it to the postcore_initcall, before the late_initcall, sounds right. Mimi
