On Tue, 2022-10-18 at 17:07 +0200, Christian Brauner wrote: > On Thu, Oct 13, 2022 at 03:36:48PM -0700, Kees Cook wrote: > > Move the xattr IMA hooks into normal LSM layer. As with SELinux and > > Smack, handle calling cap_inode_setxattr() internally. > > > > Cc: Mimi Zohar <zohar@xxxxxxxxxxxxx> > > Cc: Dmitry Kasatkin <dmitry.kasatkin@xxxxxxxxx> > > Cc: Paul Moore <paul@xxxxxxxxxxxxxx> > > Cc: James Morris <jmorris@xxxxxxxxx> > > Cc: "Serge E. Hallyn" <serge@xxxxxxxxxx> > > Cc: Borislav Petkov <bp@xxxxxxx> > > Cc: Jonathan McDowell <noodles@xxxxxx> > > Cc: Takashi Iwai <tiwai@xxxxxxx> > > Cc: Petr Vorel <pvorel@xxxxxxx> > > Cc: linux-integrity@xxxxxxxxxxxxxxx > > Cc: linux-security-module@xxxxxxxxxxxxxxx > > Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> > > --- > > I like that changes obviously but in general, does IMA depend on being > called _after_ all other LSMs or is this just a historical artifact? Calculating the EVM HMAC must be last, after the other security xattrs have been updated. -- thanks, Mimi
