From patchwork Thu Mar 9 08:54:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roberto Sassu X-Patchwork-Id: 66723 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp188766wrd; Thu, 9 Mar 2023 01:26:52 -0800 (PST) X-Google-Smtp-Source: AK7set86wj6p3CvXUdvYF3G5Wa6NGEfNcuOowofoJlcapa+nl99mNqL2JcKgXO0q9cIhIVM3nm5X X-Received: by 2002:a62:6494:0:b0:5a9:c2b0:428f with SMTP id y142-20020a626494000000b005a9c2b0428fmr15129757pfb.31.1678354012177; Thu, 09 Mar 2023 01:26:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1678354012; cv=none; d=google.com; s=arc-20160816; b=CX1Ek/HGxmydj60wGDUpDdMOLOy8UlhXMtRr/MSN5y9Y7Wi8IrhmvK19lz/6GAm6iN SaYe1vRLfCzbrtCW+D/J+Xy10DCi15jHJE6RuWCH6EcmNENJKiEELI/93cQ8IaRPUCZQ 1Hh0jYSTdYU/d44/Sy2/xxdJkKhnCdwl4J/d+vDftEHW2+1hYrTU/CWDo819rdnBDQSI w+sujIcb747C9lNkPxcAmXKf1lYP20AnoDAnDiULTutkGqpQRoXws3nM7xWLCRX6YxMO c0p2vhJOsa5D8XiApDn+VWjT2rKdRUi7IE+XGd7gVJ39Y1vgCsl1NEQdCipXbfEvKwOv HifQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=VROEZ+aqdR3NoA5jNmFO4dTNujfX6qSFBTrFCbtJz5I=; b=A3RROsr7foqCVwMcIIN+gI94WT7eF84HtepjU85dpK+qKui60ADA7QKgwzJ+w6rqSC u9fu9PJAycjF1sbCFSnTQpLIPxQBbk3e2dRm74xV32LpobH9AtgcSHPdZmgeDjhXPZqm IXpLcgCYkA6GfPz7EUHUpLADVRffqJtB1OeLwa5qci+uur2jxzT/6f8+PE1ljeUyh9/7 GRe6coAKu39oDtpViYePRHOOyvtC2Zz4MhZfhDJO1nErBTg5VTeuBlgeQYICt9qd+8Po fvNy2v/opDwrKBdZZubq748eDiOWr7J8xDuS/Ku7CeQ382u/5dOBWaxZY+1cGv6DUsNX LwTw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 66-20020a620645000000b005a9d5b4e724si16388634pfg.124.2023.03.09.01.26.37; Thu, 09 Mar 2023 01:26:52 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230521AbjCII54 (ORCPT + 99 others); Thu, 9 Mar 2023 03:57:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54556 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229522AbjCII5V (ORCPT ); Thu, 9 Mar 2023 03:57:21 -0500 Received: from frasgout13.his.huawei.com (frasgout13.his.huawei.com [14.137.139.46]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0ED87E34A6; Thu, 9 Mar 2023 00:56:20 -0800 (PST) Received: from mail02.huawei.com (unknown [172.18.147.228]) by frasgout13.his.huawei.com (SkyGuard) with ESMTP id 4PXN8X4Dv2z9xtnB; Thu, 9 Mar 2023 16:46:52 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwBHE1rqnglk6JWBAQ--.23851S3; Thu, 09 Mar 2023 09:55:21 +0100 (CET) From: Roberto Sassu To: zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, mic@digikod.net Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, keescook@chromium.org, Roberto Sassu Subject: [PATCH v3 1/3] security: Introduce LSM_ORDER_LAST and set it for the integrity LSM Date: Thu, 9 Mar 2023 09:54:31 +0100 Message-Id: <20230309085433.1810314-2-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230309085433.1810314-1-roberto.sassu@huaweicloud.com> References: <20230309085433.1810314-1-roberto.sassu@huaweicloud.com> MIME-Version: 1.0 X-CM-TRANSID: GxC2BwBHE1rqnglk6JWBAQ--.23851S3 X-Coremail-Antispam: 1UD129KBjvJXoWxuryrZw4xKw1kur47tr4rAFb_yoW5WFy3pa 9rtFWfGr18AFWru3ZrC3ZIk3WrK395CFy7GrZ8Ww1DAa95Zry0vr4ayrySkFyUXFyqyF1I yr4avr4ak3WDAw7anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUP2b4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUGw A2048vs2IY020Ec7CjxVAFwI0_Gr0_Xr1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxS w2x7M28EF7xvwVC0I7IYx2IY67AKxVWUJVWUCwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxV W8JVWxJwA2z4x0Y4vEx4A2jsIE14v26r4j6F4UM28EF7xvwVC2z280aVCY1x0267AKxVW8 Jr0_Cr1UM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMc Ij6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_ Jr0_Gr1lF7xvr2IYc2Ij64vIr41lFIxGxcIEc7CjxVA2Y2ka0xkIwI1lc7CjxVAaw2AFwI 0_GFv_Wryl42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG 67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q6r43MI IYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E 14v26r4j6F4UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI42IY6I8E87Iv67AKxVWUJV W8JwCI42IY6I8E87Iv6xkF7I0E14v26r4UJVWxJrUvcSsGvfC2KfnxnUUI43ZEXa7IUn89 N3UUUUU== X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgALBF1jj4Ze4wAAsH X-CFilter-Loop: Reflected X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1759881736417717201?= X-GMAIL-MSGID: =?utf-8?q?1759881736417717201?= From: Roberto Sassu Introduce LSM_ORDER_LAST, to satisfy the requirement of LSMs needing to be last, e.g. the 'integrity' LSM, without changing the kernel command line or configuration. Also, set this order for the 'integrity' LSM. While not enforced, this is the only LSM expected to use it. Similarly to LSM_ORDER_FIRST, LSMs with LSM_ORDER_LAST are always enabled and put at the end of the LSM list. Finally, for LSM_ORDER_MUTABLE LSMs, set the found variable to true if an LSM is found, regardless of its order. In this way, the kernel would not wrongly report that the LSM is not built-in in the kernel if its order is LSM_ORDER_LAST. Fixes: 79f7865d844c ("LSM: Introduce "lsm=" for boottime LSM selection") Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar --- include/linux/lsm_hooks.h | 1 + security/integrity/iint.c | 1 + security/security.c | 12 +++++++++--- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 6e156d2acff..c55761d93a2 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1716,6 +1716,7 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count, enum lsm_order { LSM_ORDER_FIRST = -1, /* This is only for capabilities. */ LSM_ORDER_MUTABLE = 0, + LSM_ORDER_LAST = 1, /* This is only for integrity. */ }; struct lsm_info { diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 8638976f799..b97eb59e0e3 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -182,6 +182,7 @@ static int __init integrity_iintcache_init(void) DEFINE_LSM(integrity) = { .name = "integrity", .init = integrity_iintcache_init, + .order = LSM_ORDER_LAST, }; diff --git a/security/security.c b/security/security.c index cf6cc576736..2f36229d5b6 100644 --- a/security/security.c +++ b/security/security.c @@ -284,9 +284,9 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) bool found = false; for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { - if (lsm->order == LSM_ORDER_MUTABLE && - strcmp(lsm->name, name) == 0) { - append_ordered_lsm(lsm, origin); + if (strcmp(lsm->name, name) == 0) { + if (lsm->order == LSM_ORDER_MUTABLE) + append_ordered_lsm(lsm, origin); found = true; } } @@ -306,6 +306,12 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) } } + /* LSM_ORDER_LAST is always last. */ + for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { + if (lsm->order == LSM_ORDER_LAST) + append_ordered_lsm(lsm, " last"); + } + /* Disable all LSMs not in the ordered list. */ for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) { if (exists_ordered_lsm(lsm)) From patchwork Thu Mar 9 08:54:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roberto Sassu X-Patchwork-Id: 66720 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp181377wrd; Thu, 9 Mar 2023 01:06:27 -0800 (PST) X-Google-Smtp-Source: AK7set8Kg40LDU/MntKJKq0LFNplIZupmzoUkTqHET8S/AsCN/Q3M/tDwgFyj6HtadEW51biKKF3 X-Received: by 2002:a05:6a20:7d95:b0:ce:ca9:ab30 with SMTP id v21-20020a056a207d9500b000ce0ca9ab30mr21551260pzj.36.1678352787187; Thu, 09 Mar 2023 01:06:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1678352787; cv=none; d=google.com; s=arc-20160816; b=zd5xEEXein/rGY3oIqnKxBkuPJxfKJcZFjvnurekzYnirzR7Ss3bP0OBv8utQkQ10W Z94VKJ9Eviuj22iU8K6w06nkDOck91dVmwvVFDflV+3HWyXh3pQzPHRB4F4R+uuVYrKl eqbptNp0H4JEo2ldKdpXuMZ9wXWneQBtmdrZTYhh3asoMVM+7lh0eUXpOf0ojdITRdy+ WgLpaZbFbFdU9kkYqbIxqfuU+2vaVzQ6DjPHlPA477K2quhzWFcOoLd5Pyw8/zvZx9cw 5eHJF2m9y7ioQ3BUgWTxjRCDaP5tcYGXbHEQUurRuj2jTXx5jkzVw8QN99k+rVs2Hi+Q H7RA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=QmeHgy9fk628nf4nmYQz0TH4VIvN9WNsUjxL9DEIv6A=; b=doZUo4vuKwy2dHT9bilqGGMS8D2G+LYi81do536+i9z/WdAFIBGrXKAWtYkRg3IU4y CnofFDJ+UPHeDwnWkTRSj8GemnMdvE4F+p92nzgQZXLmT45l9xS9PP6BbfKuAkgGmUc3 qiR50tppmOhHUSwUMf7H166Dv9/UM/2Dxh/i4J1lXdmQUN80nMSA68GpbuNtHN2+PKrA 22RU7tkZXImuF22/dBNdlgh+chUuWrXfPkZJO3vmhmKHyr4X6gpITjtwZLs5vRofb5NC pE34DFtna34RJRMRdp1WH6vFiT1rydJ/Jhb3oXlWlZsrCWmGEMOybIXrYiSvW6v4DUSr Ns0A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q125-20020a634383000000b004fba2d220f1si16200691pga.680.2023.03.09.01.06.14; Thu, 09 Mar 2023 01:06:27 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230218AbjCII5g (ORCPT + 99 others); Thu, 9 Mar 2023 03:57:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54406 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231148AbjCII5P (ORCPT ); Thu, 9 Mar 2023 03:57:15 -0500 Received: from frasgout13.his.huawei.com (frasgout13.his.huawei.com [14.137.139.46]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7CE2B46146; Thu, 9 Mar 2023 00:56:15 -0800 (PST) Received: from mail02.huawei.com (unknown [172.18.147.229]) by frasgout13.his.huawei.com (SkyGuard) with ESMTP id 4PXN8f67Hbz9xtnH; Thu, 9 Mar 2023 16:46:58 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwBHE1rqnglk6JWBAQ--.23851S4; Thu, 09 Mar 2023 09:55:27 +0100 (CET) From: Roberto Sassu To: zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, mic@digikod.net Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, keescook@chromium.org, Roberto Sassu Subject: [PATCH v3 2/3] Revert "integrity: double check iint_cache was initialized" Date: Thu, 9 Mar 2023 09:54:32 +0100 Message-Id: <20230309085433.1810314-3-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230309085433.1810314-1-roberto.sassu@huaweicloud.com> References: <20230309085433.1810314-1-roberto.sassu@huaweicloud.com> MIME-Version: 1.0 X-CM-TRANSID: GxC2BwBHE1rqnglk6JWBAQ--.23851S4 X-Coremail-Antispam: 1UD129KBjvJXoWrurWkGF4UXr43try8WFyUZFb_yoW8Jr1xpF W2gayUGr1UZFW0ka1vya45uFWSk3yqgry8Wws8Grn7Aas8Zr1jqF1DKryUWFy5WrWFy3WS qrn0gr45u3Wqyw7anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUP2b4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUXw A2048vs2IY020Ec7CjxVAFwI0_Xr0E3s1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxS w2x7M28EF7xvwVC0I7IYx2IY67AKxVWUJVWUCwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxV W8JVWxJwA2z4x0Y4vEx4A2jsIE14v26r4j6F4UM28EF7xvwVC2z280aVCY1x0267AKxVW8 Jr0_Cr1UM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMc Ij6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_ Jr0_Gr1lF7xvr2IYc2Ij64vIr41lFIxGxcIEc7CjxVA2Y2ka0xkIwI1lc7CjxVAaw2AFwI 0_GFv_Wryl42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG 67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q6r43MI IYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E 14v26r4j6F4UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI42IY6I8E87Iv67AKxVWUJV W8JwCI42IY6I8E87Iv6xkF7I0E14v26r4UJVWxJrUvcSsGvfC2KfnxnUUI43ZEXa7IU0I3 85UUUUU== X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgALBF1jj4Ze4wABsG X-CFilter-Loop: Reflected X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1759880452436912556?= X-GMAIL-MSGID: =?utf-8?q?1759880452436912556?= From: Roberto Sassu With the recent introduction of LSM_ORDER_LAST, the 'integrity' LSM is always initialized and the iint_cache is always created (the kernel panics on error). Thus, the additional check of iint_cache in integrity_inode_get() is no longer necessary. This reverts commit 92063f3ca73aab794bd5408d3361fd5b5ea33079. Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar --- security/integrity/iint.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/security/integrity/iint.c b/security/integrity/iint.c index b97eb59e0e3..c73858e8c6d 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -98,14 +98,6 @@ struct integrity_iint_cache *integrity_inode_get(struct inode *inode) struct rb_node *node, *parent = NULL; struct integrity_iint_cache *iint, *test_iint; - /* - * The integrity's "iint_cache" is initialized at security_init(), - * unless it is not included in the ordered list of LSMs enabled - * on the boot command line. - */ - if (!iint_cache) - panic("%s: lsm=integrity required.\n", __func__); - iint = integrity_iint_find(inode); if (iint) return iint; From patchwork Thu Mar 9 08:54:33 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roberto Sassu X-Patchwork-Id: 66715 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp180400wrd; Thu, 9 Mar 2023 01:04:16 -0800 (PST) X-Google-Smtp-Source: AK7set+m6C5vx0VZpXbuhvuw/8N2ZG4pFPbbp6OUrBQmiCISrqC63oe1gE6Tz2zMEm1yEqrvKVSJ X-Received: by 2002:a62:6143:0:b0:5ab:be1b:c75e with SMTP id v64-20020a626143000000b005abbe1bc75emr17530374pfb.24.1678352656598; Thu, 09 Mar 2023 01:04:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1678352656; cv=none; d=google.com; s=arc-20160816; b=NsgOLRBqKz98dqnFP75rTnHxLxYoOuHsvLSU0jR/L0gLcGdgnmqVSdh5eihSCTZuQj aJzIm9z0a4ZqePDs1ykqdJW2nAIaS4/B9hCcsvzKSRhWKVi7Yda7DyTPAjWWSe3ZxXFG E02MtxhWyU7AaxraDF+/BlST0tm+MA/C1I0ge0GQRJFatVPVkUk85GIarD5OphH+nJrq xMIkk2cPsTBStzJiqCNe4dz5909rFt++yKtk6a++NUzv138Z0OOuLrtQ2ID5Cnwr0icE +nIp2Fa2P2zU0Pm6epxzAQ5NBKs/FUnGfDlf3xbCkICLUGQTgAjNZ8Q8N2VMmkc/mIKg HWBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=b5/mRe1TYw3LHHffFfsNS1sThyiDTnMqafKdLIfSw04=; b=oH3dUacQfIfaDChNOUltZnl+uxe+U60RBDoSamqHpOdTBS+oLBUqwYSo70XpX7EBWC IiRElTDkcsu80V8UFnJhel77MoCGjckTCkxwXe4lutCXbzTbrNpbyhbqaq2P5IbMTo05 J1XccG/EZYcha+8UyUqNuYkTzUPw9EF5X/qatM4BNjed1pciB2JqgDl42QwN3360kGis Zn7LypK4CTw1mwGmFw/3YkRiVP69oALQK3vZlAEgocOu2Q/Dkr+Zy4cc9ox1tcAbbyZj FTd+ifn8nRtbMZEEuOp1JBCQi/Ju8kX2DZTEK0cAGV2894N+eKoTwnOl8TwWKyHshXk0 RFwA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 30-20020a63185e000000b004cd2f48218csi15985107pgy.51.2023.03.09.01.04.03; Thu, 09 Mar 2023 01:04:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229717AbjCII5l (ORCPT + 99 others); Thu, 9 Mar 2023 03:57:41 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53044 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231150AbjCII5T (ORCPT ); Thu, 9 Mar 2023 03:57:19 -0500 Received: from frasgout13.his.huawei.com (frasgout13.his.huawei.com [14.137.139.46]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 76386E349E; Thu, 9 Mar 2023 00:56:19 -0800 (PST) Received: from mail02.huawei.com (unknown [172.18.147.228]) by frasgout13.his.huawei.com (SkyGuard) with ESMTP id 4PXN8n1dKFz9xtn2; Thu, 9 Mar 2023 16:47:05 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwBHE1rqnglk6JWBAQ--.23851S5; Thu, 09 Mar 2023 09:55:33 +0100 (CET) From: Roberto Sassu To: zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, mic@digikod.net Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, keescook@chromium.org, Roberto Sassu Subject: [PATCH v3 3/3] security: Remove integrity from the LSM list in Kconfig Date: Thu, 9 Mar 2023 09:54:33 +0100 Message-Id: <20230309085433.1810314-4-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230309085433.1810314-1-roberto.sassu@huaweicloud.com> References: <20230309085433.1810314-1-roberto.sassu@huaweicloud.com> MIME-Version: 1.0 X-CM-TRANSID: GxC2BwBHE1rqnglk6JWBAQ--.23851S5 X-Coremail-Antispam: 1UD129KBjvJXoW7tFW5XFW3Kw4UJF4xtF1rtFb_yoW8Cw45pF nrKay7tr9rZFyF9r4DXrnxCFyxC395Wr98Cay3Wa1DK3W3A3Wqqr47Kr15CF15Grs7AFZ8 Cry5Kw4a93ZFga7anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUP2b4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUWw A2048vs2IY020Ec7CjxVAFwI0_Xr0E3s1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxS w2x7M28EF7xvwVC0I7IYx2IY67AKxVWUJVWUCwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxV W8JVWxJwA2z4x0Y4vEx4A2jsIE14v26r4j6F4UM28EF7xvwVC2z280aVCY1x0267AKxVW8 Jr0_Cr1UM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMc Ij6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_ Jr0_Gr1lF7xvr2IYc2Ij64vIr41lFIxGxcIEc7CjxVA2Y2ka0xkIwI1lc7CjxVAaw2AFwI 0_GFv_Wryl42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG 67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q6r43MI IYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E 14v26r4j6F4UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI42IY6I8E87Iv67AKxVWUJV W8JwCI42IY6I8E87Iv6xkF7I0E14v26r4UJVWxJrUvcSsGvfC2KfnxnUUI43ZEXa7IU04x RDUUUUU== X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAQALBF1jj4pcuAAAsR X-CFilter-Loop: Reflected X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1759880315060169335?= X-GMAIL-MSGID: =?utf-8?q?1759880315060169335?= From: Roberto Sassu Remove 'integrity' from the list of LSMs in Kconfig, as it is no longer necessary. Since the recent change (set order to LSM_ORDER_LAST), the 'integrity' LSM is always enabled. Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar --- security/Kconfig | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/security/Kconfig b/security/Kconfig index e6db09a779b..e109b4d5616 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -246,11 +246,11 @@ endchoice config LSM string "Ordered list of enabled LSMs" - default "landlock,lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK - default "landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR - default "landlock,lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO - default "landlock,lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC - default "landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" + default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK + default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR + default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO + default "landlock,lockdown,yama,loadpin,safesetid,bpf" if DEFAULT_SECURITY_DAC + default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf" help A comma-separated list of LSMs, in initialization order. Any LSMs left off this list will be ignored. This can be