From: Casey Schaufler <casey@schaufler-ca.com>
To: Petr Vorel <pvorel@suse.cz>, zohar@linux.ibm.com
Cc: dvyukov@google.com, ebiggers@kernel.org, jmorris@namei.org,
keescook@chromium.org, linux-integrity@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, serge@hallyn.com,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH 2/2] integrity: double check iint_cache was initialized
Date: Thu, 24 Feb 2022 09:32:29 -0800 [thread overview]
Message-ID: <418628ea-f524-05a1-8bfc-a688fa2d625d@schaufler-ca.com> (raw)
In-Reply-To: <20220224142025.2587-1-pvorel@suse.cz>
On 2/24/2022 6:20 AM, Petr Vorel wrote:
> Hi Mimi, Tetsuo, Kees, all,
>
> FYI this commit merged as 92063f3ca73a ("integrity: double check iint_cache was initialized")
> is the reason for openSUSE distro installer going back from lsm= to deprecated
> security= when filling default grub parameters because security=apparmor or
> security=selinux does not break boot when used with ima_policy=tcb, unlike
> using lsm.
OK, color me confused. Integrity isn't an LSM. It doesn't
call security_add_hooks().
> @Kees, @Mimi sure, people who use ima_policy=tcb will just remove lsm parameter
> or add "integrity" to it but I wonder whether there could be "integrity"
> automatic inclusion when using ima_policy=tcb. Although the point of lsm= (and
> CONFIG_LSM) is to have *ordered* list of enabled LSMs and it wouldn't be clear
> on which place.
Why would adding integrity to the lsm= make sense? It's not an LSM.
Sorry, but something is wrong here.
>
> Kind regards,
> Petr
next prev parent reply other threads:[~2022-02-24 17:32 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-22 15:42 [PATCH 1/2] ima: don't access a file's integrity status before an IMA policy is loaded Mimi Zohar
2021-03-22 15:42 ` [PATCH 2/2] integrity: double check iint_cache was initialized Mimi Zohar
2021-03-22 16:52 ` Eric Biggers
2021-03-22 18:02 ` Mimi Zohar
2022-02-24 14:20 ` Petr Vorel
2022-02-24 17:32 ` Casey Schaufler [this message]
2022-02-24 17:42 ` Petr Vorel
2022-02-24 18:51 ` Casey Schaufler
2022-02-25 19:58 ` Mimi Zohar
2022-02-28 13:44 ` Petr Vorel
2022-02-28 16:48 ` Mimi Zohar
2021-03-22 16:51 ` [PATCH 1/2] ima: don't access a file's integrity status before an IMA policy is loaded Eric Biggers
2021-03-22 18:02 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=418628ea-f524-05a1-8bfc-a688fa2d625d@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=dvyukov@google.com \
--cc=ebiggers@kernel.org \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=pvorel@suse.cz \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.