Re: [PATCH security-next v5 12/30] LSM: Provide separate ordered initialization

[PATCH security-next v5 00/30] LSM: Explict ordering · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 03/30] LSM: Rename .security_initcall section to .lsm_info · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 02/30] vmlinux.lds.h: Avoid copy/paste of security_init section · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 04/30] LSM: Remove initcall tracing · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 01/30] LSM: Correctly announce start of LSM initialization · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 08/30] LSM: Record LSM name in struct lsm_info · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 05/30] LSM: Convert from initcall to struct lsm_info · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 09/30] LSM: Provide init debugging infrastructure · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 11/30] LSM: Introduce LSM_FLAG_LEGACY_MAJOR · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 12/30] LSM: Provide separate ordered initialization · Kees Cook <hidden> · 2018-10-11
Re: [PATCH security-next v5 12/30] LSM: Provide separate ordered initialization · Mimi Zohar <zohar@linux.ibm.com> · 2018-11-02
Re: [PATCH security-next v5 12/30] LSM: Provide separate ordered initialization · Kees Cook <hidden> · 2018-11-02
Re: [PATCH security-next v5 12/30] LSM: Provide separate ordered initialization · Mimi Zohar <zohar@linux.ibm.com> · 2018-11-05
[PATCH security-next v5 13/30] LoadPin: Rename boot param "enabled" to "enforce" · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 21/30] LSM: Refactor "security=" in terms of enable/disable · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 16/30] LSM: Build ordered list of LSMs to initialize · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 15/30] LSM: Lift LSM selection out of individual LSMs · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 14/30] LSM: Plumb visibility into optional "enabled" state · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 10/30] LSM: Don't ignore initialization failures · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 06/30] vmlinux.lds.h: Move LSM_TABLE into INIT_DATA · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 07/30] LSM: Convert security_initcall() into DEFINE_LSM() · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 18/30] LSM: Introduce "lsm=" for boottime LSM selection · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 24/30] selinux: Remove SECURITY_SELINUX_BOOTPARAM_VALUE · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 30/30] capability: Initialize as LSM_ORDER_FIRST · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 25/30] LSM: Add all exclusive LSMs to ordered initialization · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 23/30] apparmor: Remove SECURITY_APPARMOR_BOOTPARAM_VALUE · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 22/30] LSM: Separate idea of "major" LSM from "exclusive" LSM · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 19/30] LSM: Tie enabling logic to presence in ordered list · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 20/30] LSM: Prepare for reorganizing "security=" logic · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 28/30] Yama: Initialize as ordered LSM · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 27/30] LoadPin: Initialize as ordered LSM · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 26/30] LSM: Split LSM preparation from initialization · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 17/30] LSM: Introduce CONFIG_LSM · Kees Cook <hidden> · 2018-10-11
[PATCH security-next v5 29/30] LSM: Introduce enum lsm_order · Kees Cook <hidden> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · James Morris <jmorris@namei.org> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Kees Cook <hidden> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · James Morris <jmorris@namei.org> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Kees Cook <hidden> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Jordan Glover <hidden> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Kees Cook <hidden> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · John Johansen <john.johansen@canonical.com> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Jordan Glover <hidden> · 2018-10-12
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · John Johansen <john.johansen@canonical.com> · 2018-10-12
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Jordan Glover <hidden> · 2018-10-12
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · John Johansen <john.johansen@canonical.com> · 2018-10-12
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Kees Cook <hidden> · 2018-10-12
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Casey Schaufler <casey@schaufler-ca.com> · 2018-10-23
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Kees Cook <hidden> · 2018-10-23
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Casey Schaufler <casey@schaufler-ca.com> · 2018-10-23
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Casey Schaufler <casey@schaufler-ca.com> · 2018-10-24
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Kees Cook <hidden> · 2018-10-24
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Casey Schaufler <casey@schaufler-ca.com> · 2018-11-14
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Casey Schaufler <casey@schaufler-ca.com> · 2018-11-20
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Jordan Glover <hidden> · 2018-10-11
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · John Johansen <john.johansen@canonical.com> · 2018-10-12
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · Jordan Glover <hidden> · 2018-10-12
Re: [PATCH security-next v5 00/30] LSM: Explict ordering · John Johansen <john.johansen@canonical.com> · 2018-10-12

From: Kees Cook <hidden>
Date: 2018-11-02 20:49:16
Also in: linux-arch, linux-doc, lkml

On Fri, Nov 2, 2018 at 11:13 AM, Mimi Zohar [off-list ref] wrote:

I don't recall why "integrity" is on the security_initcall, while both
IMA and EVM are on the late_initcall().

It's because integrity needs to have a VFS buffer allocated extremely
early, so it used the security init to do it. While it's not an LSM,
it does use this part of LSM infrastructure. I didn't see an obvious
alternative at the time, but now that I think about it, maybe just a
simple postcore_initcall() would work?

-Kees

-- 
Kees Cook

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help