| Message ID | 20230309085433.1810314-1-roberto.sassu@huaweicloud.com |
|---|---|
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp180537wrd;
Thu, 9 Mar 2023 01:04:32 -0800 (PST)
X-Google-Smtp-Source:
AK7set/zXDaijoxIVga9HUYugZW++CMHup3JJkE6sNrzUIFJkNqEQpim5GpdfTEjRXMP6wIE3XFF
X-Received: by 2002:a17:90b:3145:b0:23a:6ecb:3073 with SMTP id
ip5-20020a17090b314500b0023a6ecb3073mr21475170pjb.21.1678352672698;
Thu, 09 Mar 2023 01:04:32 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1678352672; cv=none;
d=google.com; s=arc-20160816;
b=Kuujec8TmzdvnYG69Qb8HM7Ct0DZ8PoL/kPKF2Z6izYJZ5C5s+zKYIB3/zn7DTW55p
1ZoslEjHcQQYx2lxausDrC1AcsDsDpmHwMFqUpRAXwBFZVuEGrlDHRocPzPkCg/eRGlR
0p/SupjpnmKmGH9+kgUXPa56vAy7FQKH6qZeWoh6flxTyu7V5855R65lJ2sCT3XLIrMu
AtxH/i/x/A2pHMUhZnLFvVKMk9BcrdiXzoSW8J6NF4HOWfkrma8hl2kwq2y9syaIstkP
otN1SE5MZzwh7BHKo8NV0apPeRFAkmFgyd40nCsDqVitgzt311+MxCwpyKnOEua7pODf
D+Gg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from;
bh=D38IdsG0qy5NTWKwVo1C25yqb4EDDBFqKCYJ4onvs98=;
b=IBAnQ2shHbH1q6svIjCrtohLpG7WwMNYx4AaqB6i9uORvVRW27oD4Wqqs0yaN2tUJH
F7Ny+sgDxgkboGgFk4Iu0laC5iD/IBuPVf9A2jQwyzFw4nG45spA+H+NJiz3FZhgi0e4
GrhFJra7m5m0+LUVY/zgJJcR/nHYHSpW3dvl8WqSHSWu2EaDOW4FT5Z30L/Anmcbclf+
ZiNjcvlh2Bkstd3WOTtxRS04ZGc7wrHafKYT59Yq+jQp3V8QubkChJqOh4iLZK+m3eW8
lY48ZROTmXsgfey7KwaRnzdq82buqDVfBpru7dzBTFj0TOsFcxfP5OGNXr5ZDNs+vQI8
4Gww==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
ne11-20020a17090b374b00b0022dae6bb6c8si1661002pjb.30.2023.03.09.01.04.20;
Thu, 09 Mar 2023 01:04:32 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230440AbjCII5d (ORCPT <rfc822;carlos.wei.hk@gmail.com>
+ 99 others); Thu, 9 Mar 2023 03:57:33 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53016 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230317AbjCII5K (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 9 Mar 2023 03:57:10 -0500
Received: from frasgout11.his.huawei.com (frasgout11.his.huawei.com
[14.137.139.23])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1D5471725;
Thu, 9 Mar 2023 00:56:06 -0800 (PST)
Received: from mail02.huawei.com (unknown [172.18.147.229])
by frasgout11.his.huawei.com (SkyGuard) with ESMTP id
4PXN8N0W56z9xrss;
Thu, 9 Mar 2023 16:46:44 +0800 (CST)
Received: from huaweicloud.com (unknown [10.204.63.22])
by APP2 (Coremail) with SMTP id GxC2BwBHE1rqnglk6JWBAQ--.23851S2;
Thu, 09 Mar 2023 09:55:14 +0100 (CET)
From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: zohar@linux.ibm.com, dmitry.kasatkin@gmail.com,
paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com,
mic@digikod.net
Cc: linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, bpf@vger.kernel.org,
linux-kernel@vger.kernel.org, keescook@chromium.org,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: [PATCH v3 0/3] security: Always enable integrity LSM
Date: Thu, 9 Mar 2023 09:54:30 +0100
Message-Id: <20230309085433.1810314-1-roberto.sassu@huaweicloud.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CM-TRANSID: GxC2BwBHE1rqnglk6JWBAQ--.23851S2
X-Coremail-Antispam: 1UD129KBjvJXoW7ZryrtFW7Kw13tFykGw17Jrb_yoW8Jw4DpF
sFgay5Kr48AFWS9F93Aa1I9a4akFZaqryUWrZxGw18Xa4rury0qFWIyw18CryUJrsYy3WS
gF12vr1ruw1qyrJanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
9KBjDU0xBIdaVrnRJUUUvqb4IE77IF4wAFF20E14v26r4j6ryUM7CY07I20VC2zVCF04k2
6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4
vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Jr0_JF4l84ACjcxK6xIIjxv20xvEc7Cj
xVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv67AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIEc7CjxV
AFwI0_Gr1j6F4UJwAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG
6I80ewAv7VC0I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFV
Cjc4AY6r1j6r4UM4x0Y48IcxkI7VAKI48JM4IIrI8v6xkF7I0E8cxan2IY04v7MxkF7I0E
n4kS14v26r4a6rW5MxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I
0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWU
tVW8ZwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcV
CY1x0267AKxVW8JVWxJwCI42IY6xAIw20EY4v20xvaj40_Wr1j6rW3Jr1lIxAIcVC2z280
aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8Jr0_Cr1UYxBIdaVFxhVjvjDU0x
ZFpf9x07jxqXdUUUUU=
X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAQALBF1jj4pctgAAsf
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
SPF_NONE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1759880332043710483?=
X-GMAIL-MSGID: =?utf-8?q?1759880332043710483?=
|
| Series | security: Always enable integrity LSM | |
Message
Roberto Sassu
March 9, 2023, 8:54 a.m. UTC
From: Roberto Sassu <roberto.sassu@huawei.com>
Since the integrity (including IMA and EVM) functions are currently always
called by the LSM infrastructure, and always after all LSMs, formalize
these requirements by introducing a new LSM ordering called LSM_ORDER_LAST,
and set it for the 'integrity' LSM (patch 1).
Consequently, revert commit 92063f3ca73a ("integrity: double check
iint_cache was initialized"), as the double check becomes always verified
(patch 2), and remove 'integrity' from the list of LSMs in
security/Kconfig (patch 3).
Changelog:
v2:
- Fix commit message in patch 1 (suggested by Mimi)
- Bump version of patch 2 (v1 -> v3) to make one patch set
- Add patch 3 (suggested by Mimi)
v1:
- Add comment for LSM_ORDER_LAST definition (suggested by Mimi)
- Add Fixes tag (suggested by Mimi)
- Do minor corrections in the commit messages (suggested by Mimi and
Stefan)
Roberto Sassu (3):
security: Introduce LSM_ORDER_LAST and set it for the integrity LSM
Revert "integrity: double check iint_cache was initialized"
security: Remove integrity from the LSM list in Kconfig
include/linux/lsm_hooks.h | 1 +
security/Kconfig | 10 +++++-----
security/integrity/iint.c | 9 +--------
security/security.c | 12 +++++++++---
4 files changed, 16 insertions(+), 16 deletions(-)