Re: [PATCH v10 19/25] integrity: Move integrity_kernel_module_request() to IMA

> > recursive call. However, since verification from EVM can be initiated only > > by setting inode metadata, deadlock would occur if modprobe would do the > > same while loading a kernel module (which is unlikely). > > > > Signed-off-by: Roberto Sassu > > Acked

Re: [PATCH v9 12/25] security: Introduce file_post_open hook

On Wed, 2024-02-14 at 16:21 -0500, Paul Moore wrote: > On Wed, Feb 14, 2024 at 3:07 PM Mimi Zohar wrote: > > On Tue, 2024-02-13 at 10:33 -0500, Paul Moore wrote: > > > On Tue, Feb 13, 2024 at 7:59 AM Roberto Sassu > > > wrote: > > > > On Mon, 2024

Re: [PATCH v9 12/25] security: Introduce file_post_open hook

On Tue, 2024-02-13 at 10:33 -0500, Paul Moore wrote: > On Tue, Feb 13, 2024 at 7:59 AM Roberto Sassu > wrote: > > On Mon, 2024-02-12 at 16:16 -0500, Paul Moore wrote: > > > On Mon, Feb 12, 2024 at 4:06 PM Mimi Zohar wrote: > > > > Hi Roberto, > > > &

Re: [PATCH v9 12/25] security: Introduce file_post_open hook

Hi Roberto, > diff --git a/security/security.c b/security/security.c > index d9d2636104db..f3d92bffd02f 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -2972,6 +2972,23 @@ int security_file_open(struct file *file) > return fsnotify_perm(file, MAY_OPEN); <=== Conflict

Re: [PATCH v8 21/24] evm: Move to LSM infrastructure

On Tue, 2024-01-02 at 12:56 +0100, Roberto Sassu wrote: > On 12/26/2023 11:13 PM, Mimi Zohar wrote: > > On Thu, 2023-12-14 at 18:08 +0100, Roberto Sassu wrote: > >> From: Roberto Sassu > >> > >> As for IMA, move hardcoded EVM function calls from various

Re: [PATCH v8 19/24] ima: Move to LSM infrastructure

On Tue, 2023-12-26 at 12:14 -0800, Casey Schaufler wrote: > On 12/26/2023 10:14 AM, Mimi Zohar wrote: > > On Thu, 2023-12-14 at 18:08 +0100, Roberto Sassu wrote: > >> From: Roberto Sassu > >> > >> Move hardcoded IMA function calls (not appraisal-specific functi

Re: [PATCH v8 23/24] ima: Make it independent from 'integrity' LSM

On Wed, 2023-12-27 at 17:39 +0100, Roberto Sassu wrote: > On 12/27/2023 2:22 PM, Mimi Zohar wrote: > > On Thu, 2023-12-14 at 18:08 +0100, Roberto Sassu wrote: > >> From: Roberto Sassu > >> > >> Make the 'ima' LSM independent from the 'integrity&

Re: [PATCH v8 23/24] ima: Make it independent from 'integrity' LSM

On Thu, 2023-12-14 at 18:08 +0100, Roberto Sassu wrote: > From: Roberto Sassu > > Make the 'ima' LSM independent from the 'integrity' LSM by introducing IMA > own integrity metadata (ima_iint_cache structure, with IMA-specific fields > from the integrity_iint_cache structure), and by managing it

Re: [PATCH v8 22/24] evm: Make it independent from 'integrity' LSM

On Thu, 2023-12-14 at 18:08 +0100, Roberto Sassu wrote: > From: Roberto Sassu > > Define a new structure for EVM-specific metadata, called evm_iint_cache, > and embed it in the inode security blob. Introduce evm_iint_inode() to > retrieve metadata, and register evm_inode_alloc_security() for the

Re: [PATCH v8 20/24] ima: Move IMA-Appraisal to LSM infrastructure

laces in the kernel to the LSM infrastructure. Declare the > functions as static and register them as hook implementations in > init_ima_appraise_lsm(), called by init_ima_lsm(). > > Signed-off-by: Roberto Sassu > Reviewed-by: Stefan Berger > Reviewed-by: Mimi Zohar

Re: [PATCH v8 21/24] evm: Move to LSM infrastructure

On Thu, 2023-12-14 at 18:08 +0100, Roberto Sassu wrote: > From: Roberto Sassu > > As for IMA, move hardcoded EVM function calls from various places in the > kernel to the LSM infrastructure, by introducing a new LSM named 'evm' > (last and always enabled like 'ima'). The order in the Makefile ens

Re: [PATCH v8 19/24] ima: Move to LSM infrastructure

On Thu, 2023-12-14 at 18:08 +0100, Roberto Sassu wrote: > From: Roberto Sassu > > Move hardcoded IMA function calls (not appraisal-specific functions) from > various places in the kernel to the LSM infrastructure, by introducing a > new LSM named 'ima' (at the end of the LSM list and always enabl