| Message ID | 20230310085401.1964889-1-roberto.sassu@huaweicloud.com |
|---|---|
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp764776wrd;
Fri, 10 Mar 2023 01:11:36 -0800 (PST)
X-Google-Smtp-Source:
AK7set//RZ9gRlaJV8sjjQQidhMpmUOqZHM8nNcyxHABLzW45jtlnu4hFFnggnigI6Nr9p7I/GM7
X-Received: by 2002:a17:902:bc49:b0:19c:fa51:621b with SMTP id
t9-20020a170902bc4900b0019cfa51621bmr22333015plz.67.1678439496552;
Fri, 10 Mar 2023 01:11:36 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1678439496; cv=none;
d=google.com; s=arc-20160816;
b=EXZXQ+V5gHB7OZHHnjA54+t6/ShMu34ZtZ4xzfwdD5drgQEOIs1kd3j3J8W9LE9k1l
hqa1JoqxgHgQVy7LH3SQHLRvNfLASHRiuwPT4SGEfBp7lvMWqAIIJdXG6uCTokrzGMBj
93+ZHV+eCQEKMyB2yXRAw7AnGWcjsboynoaamh1lc6Z3k1wrwFVsLEWHlJq8BfCHJkMj
W/nchUOVxqhFZKxzXNA8daqt2Wb2aXLLutahdHn5Nsnz0vH4wQjtKdTE04ZvpGjr2mAn
OnOeoUOCAyHa0snX91CO3WNzH6qt7pcqK0LQ6fSyQpMeQGfT/c0StqUCKVa+SRbeeLqQ
PaJQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from;
bh=md4JxojxZ2hM1KV8OEk8kNir0pytgXVaYJhnzpQ+6hI=;
b=wYI4alEAIxvBu3oGpn88S4oTjalha9Q4JE+POPGSDEkSbfXQiUdGCV9LmUYWk0ollP
6m1E5aUaOESavkqQJdKdLoQ7seE2qXfkgaFsB3jeL2A9rXaUq9iNh6m7+zDGaYYD0bXF
9JrUa7LjxxLquhvoaFCeWCKytqK/YZgt26N9sIm5nJSMEuN0g8nVIPoMX3eIE+OvA97F
uOnIaEDmsswWGLGgvI+dfmV4zZEbWCZAfvetMZyNdhZhZyooNihjNy9f4YHUR2XV7HSq
deARvJ03E9ETZY7+PnDgdiuS0KlgDNd8pFuPeahQGYvfV7TleNo8fCYbj0c/2IvwqPtO
cz2Q==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
kh7-20020a170903064700b0019e9f6cd049si1601964plb.416.2023.03.10.01.11.23;
Fri, 10 Mar 2023 01:11:36 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230440AbjCJJBZ (ORCPT <rfc822;carlos.wei.hk@gmail.com>
+ 99 others); Fri, 10 Mar 2023 04:01:25 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58594 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231309AbjCJJAw (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 10 Mar 2023 04:00:52 -0500
Received: from frasgout11.his.huawei.com (frasgout11.his.huawei.com
[14.137.139.23])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 44891F601E;
Fri, 10 Mar 2023 00:54:37 -0800 (PST)
Received: from mail02.huawei.com (unknown [172.18.147.228])
by frasgout11.his.huawei.com (SkyGuard) with ESMTP id
4PY04p6NqLz9v7H9;
Fri, 10 Mar 2023 16:45:46 +0800 (CST)
Received: from huaweicloud.com (unknown [10.204.63.22])
by APP2 (Coremail) with SMTP id GxC2BwDnbmUy8ApkK+yFAQ--.17497S2;
Fri, 10 Mar 2023 09:54:18 +0100 (CET)
From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: zohar@linux.ibm.com, dmitry.kasatkin@gmail.com,
paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com,
mic@digikod.net
Cc: linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, bpf@vger.kernel.org,
linux-kernel@vger.kernel.org, keescook@chromium.org,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: [PATCH v4 0/3] security: Always enable integrity LSM
Date: Fri, 10 Mar 2023 09:53:58 +0100
Message-Id: <20230310085401.1964889-1-roberto.sassu@huaweicloud.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CM-TRANSID: GxC2BwDnbmUy8ApkK+yFAQ--.17497S2
X-Coremail-Antispam: 1UD129KBjvJXoW7ZryrtFW7Kw13tFykGw17Jrb_yoW8XFWkpF
nIgay5Kr48AFWS9F93Aa1fua43Ca93tryUWrZxJw18XayrC340qFZ2kw48CryDJrsYy3WS
gr12vr1ruw1qyrJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
9KBjDU0xBIdaVrnRJUUUk2b4IE77IF4wAFF20E14v26r4j6ryUM7CY07I20VC2zVCF04k2
6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4
vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Jr0_JF4l84ACjcxK6xIIjxv20xvEc7Cj
xVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv67AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIEc7CjxV
AFwI0_Gr0_Gr1UM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40E
x7xfMcIj6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x
0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64vIr41lFIxGxcIEc7CjxVA2Y2ka0xkIwI1l42xK82IY
c2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s
026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q6r43MIIYrxkI7VAKI48JMIIF
0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r4j6F4UMIIF0x
vE42xK8VAvwI8IcIk0rVWrJr0_WFyUJwCI42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E
87Iv6xkF7I0E14v26r4j6r4UJbIYCTnIWIevJa73UjIFyTuYvjxUrR6zUUUUU
X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgAMBF1jj4ZrTwABsY
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
SPF_NONE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1759971373214910702?=
X-GMAIL-MSGID: =?utf-8?q?1759971373214910702?=
|
| Series | security: Always enable integrity LSM | |
Message
Roberto Sassu
March 10, 2023, 8:53 a.m. UTC
From: Roberto Sassu <roberto.sassu@huawei.com>
Since the integrity (including IMA and EVM) functions are currently always
called by the LSM infrastructure, and always after all LSMs, formalize
these requirements by introducing a new LSM ordering called LSM_ORDER_LAST,
and set it for the 'integrity' LSM (patch 1).
Consequently, revert commit 92063f3ca73a ("integrity: double check
iint_cache was initialized"), as the double check becomes always verified
(patch 2), and remove 'integrity' from the list of LSMs in
security/Kconfig (patch 3).
Changelog
v3:
- Remove Signed-off-by tag by Mimi (suggested by Paul)
- Clarify that an LSM with order LSM_ORDER_FIRST or LSM_ORDER_LAST is
always enabled if it is selected in the kernel configuration (suggested
by Paul)
v2:
- Fix commit message in patch 1 (suggested by Mimi)
- Bump version of patch 2 (v1 -> v3) to make one patch set
- Add patch 3 (suggested by Mimi)
v1:
- Add comment for LSM_ORDER_LAST definition (suggested by Mimi)
- Add Fixes tag (suggested by Mimi)
- Do minor corrections in the commit messages (suggested by Mimi and
Stefan)
Roberto Sassu (3):
security: Introduce LSM_ORDER_LAST and set it for the integrity LSM
Revert "integrity: double check iint_cache was initialized"
security: Remove integrity from the LSM list in Kconfig
include/linux/lsm_hooks.h | 1 +
security/Kconfig | 16 +++++++++-------
security/integrity/iint.c | 9 +--------
security/security.c | 12 +++++++++---
4 files changed, 20 insertions(+), 18 deletions(-)
Comments
On Fri, Mar 10, 2023 at 3:54 AM Roberto Sassu <roberto.sassu@huaweicloud.com> wrote: > > From: Roberto Sassu <roberto.sassu@huawei.com> > > Since the integrity (including IMA and EVM) functions are currently always > called by the LSM infrastructure, and always after all LSMs, formalize > these requirements by introducing a new LSM ordering called LSM_ORDER_LAST, > and set it for the 'integrity' LSM (patch 1). > > Consequently, revert commit 92063f3ca73a ("integrity: double check > iint_cache was initialized"), as the double check becomes always verified > (patch 2), and remove 'integrity' from the list of LSMs in > security/Kconfig (patch 3). > > Changelog > > v3: > - Remove Signed-off-by tag by Mimi (suggested by Paul) > - Clarify that an LSM with order LSM_ORDER_FIRST or LSM_ORDER_LAST is > always enabled if it is selected in the kernel configuration (suggested > by Paul) > > v2: > - Fix commit message in patch 1 (suggested by Mimi) > - Bump version of patch 2 (v1 -> v3) to make one patch set > - Add patch 3 (suggested by Mimi) > > v1: > - Add comment for LSM_ORDER_LAST definition (suggested by Mimi) > - Add Fixes tag (suggested by Mimi) > - Do minor corrections in the commit messages (suggested by Mimi and > Stefan) > > Roberto Sassu (3): > security: Introduce LSM_ORDER_LAST and set it for the integrity LSM > Revert "integrity: double check iint_cache was initialized" > security: Remove integrity from the LSM list in Kconfig > > include/linux/lsm_hooks.h | 1 + > security/Kconfig | 16 +++++++++------- > security/integrity/iint.c | 9 +-------- > security/security.c | 12 +++++++++--- > 4 files changed, 20 insertions(+), 18 deletions(-) I just merged the full patchset into the lsm/next branch, thanks everyone!