Re: [PATCH v10 3/4] evm: Align evm_inode_init_security() definition with LSM infrastructure

From: Paul Moore
Date: Tue Apr 04 2023 - 14:56:36 EST

Next message: Yang Shi: "Re: [PATCH] cpufreq: CPPC: use 10ms delay instead of 2us to avoid high error"
Previous message: Paul Moore: "Re: [PATCH v10 2/4] security: Allow all LSMs to provide xattrs for inode_init_security hook"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Mar 31, 2023 at 8:33 AM Roberto Sassu
<roberto.sassu@xxxxxxxxxxxxxxx> wrote:
>
> From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
>
> Change the evm_inode_init_security() definition to align with the LSM
> infrastructure. Keep the existing behavior of including in the HMAC
> calculation only the first xattr provided by LSMs.
>
> Changing the evm_inode_init_security() definition requires passing the
> xattr array allocated by security_inode_init_security(), and the number of
> xattrs filled by previously invoked LSMs.
>
> Use the newly introduced lsm_get_xattr_slot() to position EVM correctly in
> the xattrs array, like a regular LSM, and to increment the number of filled
> slots. For now, the LSM infrastructure allocates enough xattrs slots to
> store the EVM xattr, without using the reservation mechanism.
>
> Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> ---
> include/linux/evm.h | 13 +++++++------
> security/integrity/evm/evm_main.c | 16 ++++++++++------
> security/security.c | 6 +++---
> 3 files changed, 20 insertions(+), 15 deletions(-)

This seems reasonable to me, but I'll want to see a sign-off from Mimi
for the EVM bits. Same thing for patch 4/4.

--
paul-moore.com

Next message: Yang Shi: "Re: [PATCH] cpufreq: CPPC: use 10ms delay instead of 2us to avoid high error"
Previous message: Paul Moore: "Re: [PATCH v10 2/4] security: Allow all LSMs to provide xattrs for inode_init_security hook"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]