On Thu, 2022-10-13 at 18:47 -0400, Paul Moore wrote: > On Thu, Oct 13, 2022 at 6:36 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > > > Hi, > > > > It's been over 4 years since LSM stack was introduced. The integrity > > subsystem is long overdue for moving to this infrastructure. Here's my > > first pass at converting integrity and ima (and some of evm) into LSM > > hooks. This should be enough of an example to finish evm, and introduce > > the missing hooks for both. For example, after this, it looks like ima > > only has a couple places it's still doing things outside of the LSM. At > > least these stood out: > > > > fs/namei.c: ima_post_create_tmpfile(mnt_userns, inode); > > fs/namei.c: ima_post_path_mknod(mnt_userns, dentry); > > > > Mimi, can you please take this series and finish the conversion for > > what's missing in ima and evm? > > > > I would also call attention to "175 insertions(+), 240 deletions(-)" -- > > as expected, this is a net reduction in code. > > > > Thanks! > > Without looking at any of the code, I just want to say this 100% gets > my vote; this is something we need to make happen at some point. > > Thanks Kees! Sorry I'm on vacation this week and the beginning of next week, but will look at it when I get back. Mimi
