Re: [PATCH 3/9] ima: Move xattr hooks into LSM

[PATCH 0/9] integrity: Move hooks into LSM · Kees Cook <hidden> · 2022-10-13
[PATCH 1/9] integrity: Prepare for having "ima" and "evm" available in "integrity" LSM · Kees Cook <hidden> · 2022-10-13
Re: [PATCH 1/9] integrity: Prepare for having "ima" and "evm" available in "integrity" LSM · Mickaël Salaün <mic@digikod.net> · 2022-10-14
Re: [PATCH 1/9] integrity: Prepare for having "ima" and "evm" available in "integrity" LSM · Kees Cook <hidden> · 2022-10-14
Re: [PATCH 1/9] integrity: Prepare for having "ima" and "evm" available in "integrity" LSM · Mickaël Salaün <mic@digikod.net> · 2022-10-17
Re: [PATCH 1/9] integrity: Prepare for having "ima" and "evm" available in "integrity" LSM · Kees Cook <hidden> · 2022-10-17
Re: [PATCH 1/9] integrity: Prepare for having "ima" and "evm" available in "integrity" LSM · Kees Cook <hidden> · 2022-10-19
Re: [PATCH 1/9] integrity: Prepare for having "ima" and "evm" available in "integrity" LSM · Mimi Zohar <zohar@linux.ibm.com> · 2022-10-19
Re: [PATCH 1/9] integrity: Prepare for having "ima" and "evm" available in "integrity" LSM · Kees Cook <hidden> · 2022-10-19
Re: [PATCH 1/9] integrity: Prepare for having "ima" and "evm" available in "integrity" LSM · Mimi Zohar <zohar@linux.ibm.com> · 2022-10-19
Re: [PATCH 1/9] integrity: Prepare for having "ima" and "evm" available in "integrity" LSM · Kees Cook <hidden> · 2022-10-19
[PATCH 3/9] ima: Move xattr hooks into LSM · Kees Cook <hidden> · 2022-10-13
Re: [PATCH 3/9] ima: Move xattr hooks into LSM · Christian Brauner <brauner@kernel.org> · 2022-10-18
Re: [PATCH 3/9] ima: Move xattr hooks into LSM · Mimi Zohar <zohar@linux.ibm.com> · 2022-10-19
[PATCH 2/9] security: Move trivial IMA hooks into LSM · Kees Cook <hidden> · 2022-10-13
Re: [PATCH 2/9] security: Move trivial IMA hooks into LSM · Mimi Zohar <zohar@linux.ibm.com> · 2022-10-19
Re: [PATCH 2/9] security: Move trivial IMA hooks into LSM · Kees Cook <hidden> · 2022-10-19
Re: [PATCH 2/9] security: Move trivial IMA hooks into LSM · Mimi Zohar <zohar@linux.ibm.com> · 2022-10-19
Re: [PATCH 2/9] security: Move trivial IMA hooks into LSM · Kees Cook <hidden> · 2022-10-19
Re: [PATCH 2/9] security: Move trivial IMA hooks into LSM · Mimi Zohar <zohar@linux.ibm.com> · 2022-10-20
Re: [PATCH 2/9] security: Move trivial IMA hooks into LSM · Dr. Greg <hidden> · 2022-10-21
Re: [PATCH 2/9] security: Move trivial IMA hooks into LSM · Casey Schaufler <casey@schaufler-ca.com> · 2022-10-21
[PATCH 4/9] ima: Move ima_file_free() into LSM · Kees Cook <hidden> · 2022-10-13
Re: [PATCH 4/9] ima: Move ima_file_free() into LSM · Christian Brauner <brauner@kernel.org> · 2022-10-18
Re: [PATCH 4/9] ima: Move ima_file_free() into LSM · Roberto Sassu <hidden> · 2022-10-18
Re: [PATCH 4/9] ima: Move ima_file_free() into LSM · Kees Cook <hidden> · 2022-10-18
Re: [PATCH 4/9] ima: Move ima_file_free() into LSM · Roberto Sassu <hidden> · 2022-10-19
Re: [PATCH 4/9] ima: Move ima_file_free() into LSM · Paul Moore <paul@paul-moore.com> · 2022-10-20
[PATCH 8/9] integrity: Move trivial hooks into LSM · Kees Cook <hidden> · 2022-10-13
[PATCH 5/9] LSM: Introduce inode_post_setattr hook · Kees Cook <hidden> · 2022-10-13
Re: [PATCH 5/9] LSM: Introduce inode_post_setattr hook · Christian Brauner <brauner@kernel.org> · 2022-10-18
[PATCH 6/9] fs: Introduce file_to_perms() helper · Kees Cook <hidden> · 2022-10-13
Re: [PATCH 6/9] fs: Introduce file_to_perms() helper · Christian Brauner <brauner@kernel.org> · 2022-10-18
Re: [PATCH 6/9] fs: Introduce file_to_perms() helper · Kees Cook <hidden> · 2022-10-18
Re: [PATCH 6/9] fs: Introduce file_to_perms() helper · Casey Schaufler <casey@schaufler-ca.com> · 2022-10-20
Re: [PATCH 6/9] fs: Introduce file_to_perms() helper · Kees Cook <hidden> · 2022-10-20
[PATCH 9/9] integrity: Move integrity_inode_get() out of global header · Kees Cook <hidden> · 2022-10-13
[PATCH 7/9] ima: Move ima_file_check() into LSM · Kees Cook <hidden> · 2022-10-13
Re: [PATCH 0/9] integrity: Move hooks into LSM · Paul Moore <paul@paul-moore.com> · 2022-10-13
Re: [PATCH 0/9] integrity: Move hooks into LSM · Mimi Zohar <zohar@linux.ibm.com> · 2022-10-14
Re: [PATCH 0/9] integrity: Move hooks into LSM · Mickaël Salaün <mic@digikod.net> · 2022-10-18
Re: [PATCH 0/9] integrity: Move hooks into LSM · Roberto Sassu <hidden> · 2022-10-18
Re: [PATCH 0/9] integrity: Move hooks into LSM · Kees Cook <hidden> · 2022-10-18
Re: [PATCH 0/9] integrity: Move hooks into LSM · Casey Schaufler <casey@schaufler-ca.com> · 2022-10-20

From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2022-10-19 13:37:52
Also in: linux-hardening, linux-integrity, lkml

On Tue, 2022-10-18 at 17:07 +0200, Christian Brauner wrote:

On Thu, Oct 13, 2022 at 03:36:48PM -0700, Kees Cook wrote:

quoted

Move the xattr IMA hooks into normal LSM layer. As with SELinux and
Smack, handle calling cap_inode_setxattr() internally.

Cc: Mimi Zohar <zohar@linux.ibm.com>
Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Borislav Petkov <redacted>
Cc: Jonathan McDowell <redacted>
Cc: Takashi Iwai <redacted>
Cc: Petr Vorel <pvorel@suse.cz>
Cc: linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Signed-off-by: Kees Cook <redacted>
---

I like that changes obviously but in general, does IMA depend on being
called _after_ all other LSMs or is this just a historical artifact?

Calculating the EVM HMAC must be last, after the other security xattrs
have been updated.

-- 
thanks,

Mimi

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help