From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: Paul Moore <paul@paul-moore.com>,
Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-security-module@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>
Subject: Re: [PATCH] lsm: drop LSM_ID_IMA
Date: Wed, 25 Oct 2023 12:35:34 +0200 [thread overview]
Message-ID: <93b2ea72-a9b1-4d50-bc4a-3d60d91dd44b@huaweicloud.com> (raw)
In-Reply-To: <CAHC9VhSVcfsCM6GjxJrSPCXV3PYRahXJi5HiNyKGCt8f_fOpmA@mail.gmail.com>
On 10/24/2023 11:18 PM, Paul Moore wrote:
> On Mon, Oct 23, 2023 at 11:48 AM Casey Schaufler <casey@schaufler-ca.com> wrote:
>> On 10/23/2023 8:20 AM, Roberto Sassu wrote:
>>> On 10/20/2023 11:56 PM, Casey Schaufler wrote:
>>>> On 10/19/2023 1:08 AM, Roberto Sassu wrote:
>>>>> On Wed, 2023-10-18 at 17:50 -0400, Paul Moore wrote:
>>>>>> When IMA becomes a proper LSM we will reintroduce an appropriate
>>>>>> LSM ID, but drop it from the userspace API for now in an effort
>>>>>> to put an end to debates around the naming of the LSM ID macro.
>>>>>>
>>>>>> Signed-off-by: Paul Moore <paul@paul-moore.com>
>>>>> Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
>>>>>
>>>>> This makes sense according to the new goal of making 'ima' and 'evm' as
>>>>> standalone LSMs.
>>>>>
>>>>> Otherwise, if we took existing LSMs, we should have defined
>>>>> LSM_ID_INTEGRITY, associated to DEFINE_LSM(integrity).
>>>>>
>>>>> If we proceed with the new direction, I will add the new LSM IDs as
>>>>> soon as IMA and EVM become LSMs.
>>>>
>>>> This seems right to me. Thank You.
>>>
>>> Perfect! Is it fine to assign an LSM ID to 'ima' and 'evm' and keep
>>> the 'integrity' LSM to reserve space in the security blob without LSM
>>> ID (as long as it does not register any hook)?
>>
>> That will work, although it makes me wonder if all the data in the 'integrity' blob
>> is used by both IMA and EVM. If these are going to be separate LSMs they should probably
>> have their own security blobs. If there is data in common then an 'integrity' blob can
>> still makes sense.
>
> Users interact with IMA and EVM, not the "integrity" layer, yes? If
> so, I'm not sure it makes sense to have an "integrity" LSM, we should
> just leave it at "IMA" and "EVM".
The problem is who reserves and manages the shared integrity metadata.
For now, it is still the 'integrity' LSM. If not, it would be IMA or EVM
on behalf of the other (depending on which ones are enabled). Probably
the second would not be a good idea.
Thanks
Roberto
next prev parent reply other threads:[~2023-10-25 10:37 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-18 21:50 [PATCH] lsm: drop LSM_ID_IMA Paul Moore
2023-10-19 8:08 ` Roberto Sassu
2023-10-20 21:56 ` Casey Schaufler
2023-10-23 15:20 ` Roberto Sassu
2023-10-23 15:48 ` Casey Schaufler
2023-10-23 16:11 ` Roberto Sassu
2023-10-24 13:18 ` Roberto Sassu
2023-10-24 21:18 ` Paul Moore
2023-10-25 10:35 ` Roberto Sassu [this message]
2023-10-25 13:14 ` Paul Moore
2023-10-25 14:06 ` Roberto Sassu
2023-10-25 14:36 ` Roberto Sassu
2023-10-26 2:54 ` Paul Moore
2023-10-26 8:49 ` Roberto Sassu
2023-10-26 2:43 ` Paul Moore
2023-10-25 16:46 ` Roberto Sassu
2023-10-24 21:15 ` Paul Moore
2023-11-13 4:05 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=93b2ea72-a9b1-4d50-bc4a-3d60d91dd44b@huaweicloud.com \
--to=roberto.sassu@huaweicloud.com \
--cc=casey@schaufler-ca.com \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).