On Jan 15, 2024 Roberto Sassu <roberto.sassu@xxxxxxxxxxxxxxx> wrote: > > IMA and EVM are not effectively LSMs, especially due to the fact that in > the past they could not provide a security blob while there is another LSM > active. > > That changed in the recent years, the LSM stacking feature now makes it > possible to stack together multiple LSMs, and allows them to provide a > security blob for most kernel objects. While the LSM stacking feature has > some limitations being worked out, it is already suitable to make IMA and > EVM as LSMs. > > The main purpose of this patch set is to remove IMA and EVM function calls, > hardcoded in the LSM infrastructure and other places in the kernel, and to > register them as LSM hook implementations, so that those functions are > called by the LSM infrastructure like other regular LSMs. Thanks Roberto, this is looking good. I appreciate all the work you've put into making this happen; when I first mentioned this idea I figured it would be something that would happen much farther into the future, I wasn't expecting to see you pick this up and put in the work to make it happen - thank you. I had some pretty minor comments but I think the only thing I saw that I think needs a change/addition is a comment in the Makefile regarding the IMA/EVM ordering; take a look and let me know what you think. There are also a few patches in the patchset that don't have an ACK/review tag from Mimi, although now that you are co-maininting IMA/EVM with Mimi I don't know if that matters. If the two of you can let me know how you want me to handle LSM patches that are IMA/EVM related I would appreciate it (two ACKs, one or other, something else?). Once you add a Makefile commane and we sort out the IMA/EVM approval process I think we're good to get this into linux-next. A while back Mimi and I had a chat offline and if I recall everything correctly she preferred that I take this patchset via the LSM tree. I don't have a problem with that, and to be honest I would probably prefer that too, but I wanted to check with everyone that is still the case. Just in case, I've added my ACKs/reviews to this patchset in case this needs to be merged via the integrity tree. -- paul-moore.com