On Mon, 2020-06-15 at 16:18 -0700, Casey Schaufler wrote: > On 6/15/2020 10:44 AM, Mimi Zohar wrote: > > (Cc'ing John) > > > > On Mon, 2020-06-15 at 10:33 -0700, Casey Schaufler wrote: > >> On 6/15/2020 9:45 AM, Lakshmi Ramasubramanian wrote: > >>> On 6/15/20 4:57 AM, Stephen Smalley wrote: > >>> > >>> Hi Stephen, > >>> > >>> Thanks for reviewing the patches. > >>> > >>>>> +void security_state_change(char *lsm_name, void *state, int state_len) > >>>>> +{ > >>>>> + ima_lsm_state(lsm_name, state, state_len); > >>>>> +} > >>>>> + > >>>> What's the benefit of this trivial function instead of just calling > >>>> ima_lsm_state() directly? > >>> One of the feedback Casey Schaufler had given earlier was that calling an IMA function directly from SELinux (or, any of the Security Modules) would be a layering violation. > >> Hiding the ima_lsm_state() call doesn't address the layering. > >> The point is that SELinux code being called from IMA (or the > >> other way around) breaks the subsystem isolation. Unfortunately, > >> it isn't obvious to me how you would go about what you're doing > >> without integrating the subsystems. > > Casey, I'm not sure why you think there is a layering issue here. > > I don't think there is, after further review. If the IMA code called > selinux_dosomething() directly I'd be very concerned, but calling > security_dosomething() which then calls selinux_dosomething() is fine. > If YAMA called security_dosomething() I'd be very concerned, but that's > not what's happening here. As long as the call to IMA is not an LSM hook, there shouldn't be a problem with an LSM calling IMA directly. A perfect example is measuring, appraising and/or auditing LSM policies. Mimi > > > There were multiple iterations of IMA before it was upstreamed. One > > iteration had separate integrity hooks(LIM). Only when the IMA calls > > and the security hooks are co-located, are they combined, as requested > > by Linus. > > > > There was some AppArmour discussion about calling IMA directly, but I > > haven't heard about it in a while or seen the patch.