> On Dec 17, 2024, at 2:04 PM, Song Liu <songliubraving@xxxxxxxx> wrote: > > > >> On Dec 17, 2024, at 1:59 PM, Paul Moore <paul@xxxxxxxxxxxxxx> wrote: >> >> On Tue, Dec 17, 2024 at 4:29 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: >>> On 12/17/2024 12:25 PM, Song Liu wrote: >>>> While reading and testing LSM code, I found IMA/EVM consume per inode >>>> storage even when they are not in use. Add options to diable them in >>>> kernel command line. The logic and syntax is mostly borrowed from an >>>> old serious [1]. >>> >>> Why not omit ima and evm from the lsm= parameter? >> >> Exactly. Here is a link to the kernel documentation if anyone is >> interested (search for "lsm"): >> >> https://docs.kernel.org/admin-guide/kernel-parameters.html >> >> It is worth mentioning that this works for all the LSMs. > > I guess this is a bug that ima and evm do cannot be disabled > by (not being add to) lsm= parameter? If we use lsm= to control ima and evm, we will need the following changes in ordered_lsm_parse(). We still need supporting logic in ima and evm side, so that ima and evm are only initialized when they are in lsm=. Does this sound the right way forward? Thanks, Song diff --git i/security/security.c w/security/security.c index 09664e09fec9..00271be3b0c1 100644 --- i/security/security.c +++ w/security/security.c @@ -365,6 +365,9 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) if (strcmp(lsm->name, name) == 0) { if (lsm->order == LSM_ORDER_MUTABLE) append_ordered_lsm(lsm, origin); + else if (lsm->order == LSM_ORDER_LAST) + set_enabled(lsm, true); + found = true; } } @@ -386,7 +389,7 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) /* LSM_ORDER_LAST is always last. */ for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { - if (lsm->order == LSM_ORDER_LAST) + if (lsm->order == LSM_ORDER_LAST && is_enabled(lsm)) append_ordered_lsm(lsm, " last"); }
