On Feb 15, 2024 Roberto Sassu roberto.sassu@huaweicloud.com wrote:
IMA and EVM are not effectively LSMs, especially due to the fact that in the past they could not provide a security blob while there is another LSM active.
That changed in the recent years, the LSM stacking feature now makes it possible to stack together multiple LSMs, and allows them to provide a security blob for most kernel objects. While the LSM stacking feature has some limitations being worked out, it is already suitable to make IMA and EVM as LSMs.
The main purpose of this patch set is to remove IMA and EVM function calls, hardcoded in the LSM infrastructure and other places in the kernel, and to register them as LSM hook implementations, so that those functions are called by the LSM infrastructure like other regular LSMs.
As discussed earlier, I've just merged this into the lsm/dev tree; a big thank you to Roberto for working on this and to all helped along the way with reviews, testing, etc. I've wanted to see IMA/EVM integrated as proper LSMs for a while and I'm very happy to finally see it happening.
Mimi, Roberto, I'm going to hold off on merging anything into the lsm/dev tree for a few days in case you decide you would prefer to take these patches yourselves. If I don't hear anything from the two of you, I'll plan to send these to Linus during the next merge window.
-- paul-moore.com