| Message ID | 20231026090259.362945-1-roberto.sassu@huaweicloud.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:d641:0:b0:403:3b70:6f57 with SMTP id cy1csp528107vqb;
Thu, 26 Oct 2023 02:03:52 -0700 (PDT)
X-Google-Smtp-Source:
AGHT+IE3DZLctqgneuVjcEUk2hKABrI05jYkOXQH7Z8fyA1HiGe8KhaKoe0zHVyVAzsL5NZNnePj
X-Received: by 2002:a9d:74c4:0:b0:6bf:21d3:2de5 with SMTP id
a4-20020a9d74c4000000b006bf21d32de5mr18723528otl.17.1698311032659;
Thu, 26 Oct 2023 02:03:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1698311032; cv=none;
d=google.com; s=arc-20160816;
b=ZmJjRM/K2PWf0+GQ4y2s+y421iloj//lmF/kafqzRF9/VSAxK7KBwlEinaUW/nQKY4
+NOFlK3EiAcLyxyzd4OWnZ7r/11ZKrJkKv74pluTA4srBgAJaGNFmkzzhY0nkXizQN+o
uhXgR7DFg5ijjtE+bIZ7JYkwkADjCFuQGkRoYuI+Iiu3y9ArMtO1ktGGF6kHfxy3/N5J
QdgClFoiu6qXecksS0Om1zrYyj7wIXqkzE/ljwQkH0jfXDrTZckSPsd1+vR3cwwaxEzt
5oiobPX3OV5hLA7+Y0DMKEifZDf+5Wpu6OzX0Oz9scOPg+nO8SC3aGB91zdPgISyE/ec
N3Bg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from;
bh=HdbGmm6dSPEJt5XvGyT8HYJcKv/naQggWBd87ShkvlE=;
fh=3puuhlR8SmfRcn1lXhwBuztup4Bmiax4bDm9xJrnSCI=;
b=kLDhKY5EYyo4g4lMwWKPdfm5Kp8PF6ORo/SbrDu2n57Dic1QOydFFny2MNUSmRNJoz
Bk29EELATP8kBaJri/WLji0UA0y2KLU+31c80QPRKdS0kAbp5kxhtoXjPMETuXgycTPC
tZQAESXwWLwONK7pYJCiumfAW6vsVeCnOlS/dVRGXjIhzdj9T5mLgQNUmLVsZ1pYBzJ6
r8qZr9Yhz8E+Bh7LRBxIt2uqYSneXLGQYCeN1Eqx7bix5zfOVpZLFRAxzha6FXXkaIdD
xc+TWf16yexXe5ILRHnnGNlkggXHaM+vyTZqfDdh0m3MT9vITALjUVMoC+G9RTyGtibM
WE4Q==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:3 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3])
by mx.google.com with ESMTPS id
cp11-20020a05690c0e0b00b005a7aab31b17si3013174ywb.36.2023.10.26.02.03.52
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 26 Oct 2023 02:03:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:3 as permitted sender)
client-ip=2620:137:e000::3:3;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:3 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by lipwig.vger.email (Postfix) with ESMTP id 4B3B38244E7F;
Thu, 26 Oct 2023 02:03:50 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1344527AbjJZJDf (ORCPT <rfc822;aposhian.dev@gmail.com>
+ 26 others); Thu, 26 Oct 2023 05:03:35 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60876 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230257AbjJZJDe (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 26 Oct 2023 05:03:34 -0400
Received: from frasgout13.his.huawei.com (frasgout13.his.huawei.com
[14.137.139.46])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1136810E;
Thu, 26 Oct 2023 02:03:30 -0700 (PDT)
Received: from mail02.huawei.com (unknown [172.18.147.227])
by frasgout13.his.huawei.com (SkyGuard) with ESMTP id
4SGKHz6ZNmz9yKXj;
Thu, 26 Oct 2023 16:50:23 +0800 (CST)
Received: from huaweicloud.com (unknown [10.204.63.22])
by APP1 (Coremail) with SMTP id LxC2BwD3T5FOKzplbiTyAg--.23455S2;
Thu, 26 Oct 2023 10:03:17 +0100 (CET)
From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com
Cc: linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, zohar@linux.ibm.com,
linux-integrity@vger.kernel.org,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: [PATCH] security: Don't yet account for IMA in LSM_CONFIG_COUNT
calculation
Date: Thu, 26 Oct 2023 11:02:59 +0200
Message-Id: <20231026090259.362945-1-roberto.sassu@huaweicloud.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CM-TRANSID: LxC2BwD3T5FOKzplbiTyAg--.23455S2
X-Coremail-Antispam: 1UD129KBjvdXoW7GF1rZr4rZFW5uw45CF4UArb_yoWfGrcEka
1kAr40y3y7ZF93WF47A3W8ZF1vg3y8XrnxG3WYyr13uws8Wr1rXFZ7J34fAF1rJFnxGFWv
ka1fKFy3Aw1ktjkaLaAFLSUrUUUUjb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT
9fnUUIcSsGvfJTRUUUb7xYFVCjjxCrM7AC8VAFwI0_Gr0_Xr1l1xkIjI8I6I8E6xAIw20E
Y4v20xvaj40_Wr0E3s1l1IIY67AEw4v_Jr0_Jr4l8cAvFVAK0II2c7xJM28CjxkF64kEwV
A0rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVWUJVWUCwA2z4x0Y4vE2Ix0cI8IcVCY1x02
67AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIE14v26r4j6F4UM28EF7xvwVC2z280aVCY1x0267
AKxVW8JVW8Jr1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2
j2WlYx0E2Ix0cI8IcVAFwI0_Jrv_JF1lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7x
kEbVWUJVW8JwACjcxG0xvY0x0EwIxGrwCY1x0262kKe7AKxVW8ZVWrXwCF04k20xvY0x0E
wIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E74
80Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jw0_GFylIxkGc2Ij64vIr41lIxAIcVC0
I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI0_Gr0_Cr1lIxAIcVCF04
k26cxKx2IYs7xG6rWUJVWrZr1UMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIE
c7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x07j4eHgUUUUU=
X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAQACBF1jj5WKUwACs4
X-CFilter-Loop: Reflected
X-Spam-Status: No,
score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]);
Thu, 26 Oct 2023 02:03:50 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1780808189558220998
X-GMAIL-MSGID: 1780808189558220998
|
| Series |
security: Don't yet account for IMA in LSM_CONFIG_COUNT calculation
|
|
Commit Message
Roberto Sassu
Oct. 26, 2023, 9:02 a.m. UTC
From: Roberto Sassu <roberto.sassu@huawei.com> Since IMA is not yet an LSM, don't account for it in the LSM_CONFIG_COUNT calculation, used to limit how many LSMs can invoke security_add_hooks(). Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> --- security/security.c | 1 - 1 file changed, 1 deletion(-)
Comments
On Oct 26, 2023 Roberto Sassu <roberto.sassu@huaweicloud.com> wrote: > > Since IMA is not yet an LSM, don't account for it in the LSM_CONFIG_COUNT > calculation, used to limit how many LSMs can invoke security_add_hooks(). > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > --- > security/security.c | 1 - > 1 file changed, 1 deletion(-) Merged into lsm/dev-staging, thanks! -- paul-moore.com
On Thu, 2023-10-26 at 10:48 -0400, Paul Moore wrote: > On Oct 26, 2023 Roberto Sassu <roberto.sassu@huaweicloud.com> wrote: > > > > Since IMA is not yet an LSM, don't account for it in the LSM_CONFIG_COUNT > > calculation, used to limit how many LSMs can invoke security_add_hooks(). > > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > --- > > security/security.c | 1 - > > 1 file changed, 1 deletion(-) > > Merged into lsm/dev-staging, thanks! Welcome! Could you please also rebase lsm/dev-staging, to move ab3888c7198d ("LSM: wireup Linux Security Module syscalls") after f7875966dc0c ("tools headers UAPI: Sync files changed by new fchmodat2 and map_shadow_stack syscalls with the kernel sources")? Thanks Roberto
On Thu, Oct 26, 2023 at 11:12 AM Roberto Sassu <roberto.sassu@huaweicloud.com> wrote: > On Thu, 2023-10-26 at 10:48 -0400, Paul Moore wrote: > > On Oct 26, 2023 Roberto Sassu <roberto.sassu@huaweicloud.com> wrote: > > > > > > Since IMA is not yet an LSM, don't account for it in the LSM_CONFIG_COUNT > > > calculation, used to limit how many LSMs can invoke security_add_hooks(). > > > > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > > --- > > > security/security.c | 1 - > > > 1 file changed, 1 deletion(-) > > > > Merged into lsm/dev-staging, thanks! > > Welcome! > > Could you please also rebase lsm/dev-staging, to move ab3888c7198d > ("LSM: wireup Linux Security Module syscalls") after f7875966dc0c > ("tools headers UAPI: Sync files changed by new fchmodat2 and > map_shadow_stack syscalls with the kernel sources")? Let me look into that, as long as it doesn't blow up the stuff in lsm/dev (I don't think it would), I'll go ahead and rebase to v6.6-rc4 which should resolve the syscall numbering conflict. FWIW, I also hit the same problem with my kernel-secnext builds, if you're using those RPMs you'll find it's already resolved there.
On Thu, Oct 26, 2023 at 11:59 AM Paul Moore <paul@paul-moore.com> wrote: > On Thu, Oct 26, 2023 at 11:12 AM Roberto Sassu > <roberto.sassu@huaweicloud.com> wrote: > > On Thu, 2023-10-26 at 10:48 -0400, Paul Moore wrote: > > > On Oct 26, 2023 Roberto Sassu <roberto.sassu@huaweicloud.com> wrote: > > > > > > > > Since IMA is not yet an LSM, don't account for it in the LSM_CONFIG_COUNT > > > > calculation, used to limit how many LSMs can invoke security_add_hooks(). > > > > > > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > > > --- > > > > security/security.c | 1 - > > > > 1 file changed, 1 deletion(-) > > > > > > Merged into lsm/dev-staging, thanks! > > > > Welcome! > > > > Could you please also rebase lsm/dev-staging, to move ab3888c7198d > > ("LSM: wireup Linux Security Module syscalls") after f7875966dc0c > > ("tools headers UAPI: Sync files changed by new fchmodat2 and > > map_shadow_stack syscalls with the kernel sources")? > > Let me look into that, as long as it doesn't blow up the stuff in > lsm/dev (I don't think it would), I'll go ahead and rebase to v6.6-rc4 > which should resolve the syscall numbering conflict. > > FWIW, I also hit the same problem with my kernel-secnext builds, if > you're using those RPMs you'll find it's already resolved there. That wasn't very messy so I've rebased lsm/dev-staging to v6.6-rc4 and regenerated lsm/next. If you notice any problems please let me know.
On Thu, Oct 26, 2023 at 12:36 PM Paul Moore <paul@paul-moore.com> wrote: > On Thu, Oct 26, 2023 at 11:59 AM Paul Moore <paul@paul-moore.com> wrote: > > On Thu, Oct 26, 2023 at 11:12 AM Roberto Sassu > > <roberto.sassu@huaweicloud.com> wrote: > > > On Thu, 2023-10-26 at 10:48 -0400, Paul Moore wrote: > > > > On Oct 26, 2023 Roberto Sassu <roberto.sassu@huaweicloud.com> wrote: > > > > > > > > > > Since IMA is not yet an LSM, don't account for it in the LSM_CONFIG_COUNT > > > > > calculation, used to limit how many LSMs can invoke security_add_hooks(). > > > > > > > > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > > > > --- > > > > > security/security.c | 1 - > > > > > 1 file changed, 1 deletion(-) > > > > > > > > Merged into lsm/dev-staging, thanks! > > > > > > Welcome! > > > > > > Could you please also rebase lsm/dev-staging, to move ab3888c7198d > > > ("LSM: wireup Linux Security Module syscalls") after f7875966dc0c > > > ("tools headers UAPI: Sync files changed by new fchmodat2 and > > > map_shadow_stack syscalls with the kernel sources")? > > > > Let me look into that, as long as it doesn't blow up the stuff in > > lsm/dev (I don't think it would), I'll go ahead and rebase to v6.6-rc4 > > which should resolve the syscall numbering conflict. > > > > FWIW, I also hit the same problem with my kernel-secnext builds, if > > you're using those RPMs you'll find it's already resolved there. > > That wasn't very messy so I've rebased lsm/dev-staging to v6.6-rc4 and > regenerated lsm/next. If you notice any problems please let me know. Now merged into lsm/dev, thanks Roberto!
diff --git a/security/security.c b/security/security.c index 988483fcf153..7281aa90ca20 100644 --- a/security/security.c +++ b/security/security.c @@ -44,7 +44,6 @@ (IS_ENABLED(CONFIG_SECURITY_SELINUX) ? 1 : 0) + \ (IS_ENABLED(CONFIG_SECURITY_SMACK) ? 1 : 0) + \ (IS_ENABLED(CONFIG_SECURITY_TOMOYO) ? 1 : 0) + \ - (IS_ENABLED(CONFIG_IMA) ? 1 : 0) + \ (IS_ENABLED(CONFIG_SECURITY_APPARMOR) ? 1 : 0) + \ (IS_ENABLED(CONFIG_SECURITY_YAMA) ? 1 : 0) + \ (IS_ENABLED(CONFIG_SECURITY_LOADPIN) ? 1 : 0) + \