From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mimi Zohar Subject: Re: [PATCH security-next v5 12/30] LSM: Provide separate ordered initialization Date: Mon, 05 Nov 2018 09:13:58 -0500 Message-ID: <1541427238.21115.58.camel@linux.ibm.com> References: <20181011001846.30964-1-keescook@chromium.org> <20181011001846.30964-13-keescook@chromium.org> <1541182406.20901.31.camel@linux.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org To: Kees Cook Cc: James Morris , Casey Schaufler , John Johansen , Stephen Smalley , Paul Moore , Tetsuo Handa , Mimi Zohar , Randy Dunlap , Jordan Glover , LSM , "open list:DOCUMENTATION" , linux-arch , LKML List-Id: linux-arch.vger.kernel.org On Fri, 2018-11-02 at 13:49 -0700, Kees Cook wrote: > On Fri, Nov 2, 2018 at 11:13 AM, Mimi Zohar wrote: > > I don't recall why "integrity" is on the security_initcall, while both > > IMA and EVM are on the late_initcall(). > > It's because integrity needs to have a VFS buffer allocated extremely > early, so it used the security init to do it. While it's not an LSM, > it does use this part of LSM infrastructure. I didn't see an obvious > alternative at the time, but now that I think about it, maybe just a > simple postcore_initcall() would work? I was questioning why the "security_initcall", which is called after the late_initcall.  Moving it to the postcore_initcall, before the late_initcall, sounds right. Mimi From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:51408 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728718AbeKEXeO (ORCPT ); Mon, 5 Nov 2018 18:34:14 -0500 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id wA5E9GJh015106 for ; Mon, 5 Nov 2018 09:14:19 -0500 Received: from e06smtp01.uk.ibm.com (e06smtp01.uk.ibm.com [195.75.94.97]) by mx0a-001b2d01.pphosted.com with ESMTP id 2njpkvu0dw-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 05 Nov 2018 09:14:18 -0500 Received: from localhost by e06smtp01.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 5 Nov 2018 14:14:16 -0000 Subject: Re: [PATCH security-next v5 12/30] LSM: Provide separate ordered initialization From: Mimi Zohar Date: Mon, 05 Nov 2018 09:13:58 -0500 In-Reply-To: References: <20181011001846.30964-1-keescook@chromium.org> <20181011001846.30964-13-keescook@chromium.org> <1541182406.20901.31.camel@linux.ibm.com> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: <1541427238.21115.58.camel@linux.ibm.com> Sender: linux-arch-owner@vger.kernel.org List-ID: To: Kees Cook Cc: James Morris , Casey Schaufler , John Johansen , Stephen Smalley , Paul Moore , Tetsuo Handa , Mimi Zohar , Randy Dunlap , Jordan Glover , LSM , "open list:DOCUMENTATION" , linux-arch , LKML Message-ID: <20181105141358.p6RYcTAulC-zMrc8ZWbxYjRGxY9WROwt0O9pV86Cq_k@z> On Fri, 2018-11-02 at 13:49 -0700, Kees Cook wrote: > On Fri, Nov 2, 2018 at 11:13 AM, Mimi Zohar wrote: > > I don't recall why "integrity" is on the security_initcall, while both > > IMA and EVM are on the late_initcall(). > > It's because integrity needs to have a VFS buffer allocated extremely > early, so it used the security init to do it. While it's not an LSM, > it does use this part of LSM infrastructure. I didn't see an obvious > alternative at the time, but now that I think about it, maybe just a > simple postcore_initcall() would work? I was questioning why the "security_initcall", which is called after the late_initcall.  Moving it to the postcore_initcall, before the late_initcall, sounds right. Mimi