Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp2570639imd; Fri, 2 Nov 2018 13:49:59 -0700 (PDT) X-Google-Smtp-Source: AJdET5d4BBeY9Qe0BqZ8eKCAYRedvEGmbnDLAjm2sdCEH4zItYrwnt/xibxvXYQ7ymEXBXlczkfM X-Received: by 2002:a65:430b:: with SMTP id j11-v6mr12219294pgq.269.1541191799108; Fri, 02 Nov 2018 13:49:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1541191799; cv=none; d=google.com; s=arc-20160816; b=Qx1C1yn3LondkM7TDfcqrqC/BZfFdDb8eHQAYsbGrXsk2JOcmL6Qzx+5QssGvbzamE 0Asw5dkx0ySQOyXVVDebXL5GwOpfyaoZkFFWIGLkPtD7TCoLRY/XgWZwOdIesHIY39vZ D3Cmgydkqx85vb8faISJNpyoXu7RlTmmMryUz3PFhQKUazNGI5i7Zo1ekouUwCi8IzXU z3WY5EOFOOUGBkIP1Wxjo12FMqVkMtoO2RiEqvoFylCpkFisdAor+dK6zpj0qreyzGcD 96FDOUZ09kKke/upKeWKabrf3j/vZC8w7Vwz3tRTAVcdQ0uc4EQQkkP84rvoJdoZ5HrZ tX0A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature; bh=AdbRP1e8hhSctEX2RFnFJdxI7Ntlt0NMbsw9ytVJYUQ=; b=cYmjm6ICDp7XmCTBzcaa7Uwj50KwgZn5wATq6xRlIK3O5GbT8xCxRT+4hcBrUsCT6N wK4sN8ZHr2JAh9L8LtHdcA/tQWWyjm9Q4zrT0FgzBukLWgfzvg7+Z/WgYbW92EemfQfi jROOzT0i6nQRoLrSAQmvKcjAXciyFDZkfFbgLrJFqreUHxpiWbyZkiFaQ449lux5xz5G Ieke32VLpeBNCYMXphK1CkDyswO5lPe5p7i/N83d7jceNmV1Sv/zOe6UesX4wYElDhmw uQsR2wG6BDy3zm5oBqu7Mrd3E0dk/8TGJ3FrdqQM0FdR0wOAfq1+rhxZ46wXP8etXiZ6 X6DQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="MZYRd/eH"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m6-v6si25454596pgh.230.2018.11.02.13.49.44; Fri, 02 Nov 2018 13:49:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="MZYRd/eH"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728110AbeKCF5v (ORCPT + 99 others); Sat, 3 Nov 2018 01:57:51 -0400 Received: from mail-yw1-f68.google.com ([209.85.161.68]:38889 "EHLO mail-yw1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725957AbeKCF5v (ORCPT ); Sat, 3 Nov 2018 01:57:51 -0400 Received: by mail-yw1-f68.google.com with SMTP id d126-v6so1287641ywa.5 for ; Fri, 02 Nov 2018 13:49:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=AdbRP1e8hhSctEX2RFnFJdxI7Ntlt0NMbsw9ytVJYUQ=; b=MZYRd/eHgIPhy4q251SCFQz1FbPFZ2DATzZ72cqhh0z59yxwEZeaeJxElQo3rkIg8r 66DpVpmMkRxdfasZ9XGXCa5VrZwEwR0DUm2vpUUoLaDrZvU3ydBRop6FG/ZZf4MlOQpB vknMJ6EbPx2O443vkScDvzm/jGerGHoLcUHRI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=AdbRP1e8hhSctEX2RFnFJdxI7Ntlt0NMbsw9ytVJYUQ=; b=SgA7+MMXMzsBhPKTSsXxTBHZ/G8tKF2/FO+/JgJBeFXQWhMOhHREq3AumZwiev16iU OF1VwlJx9erPYILTXLhXrYtOcYR9chyDX54r1agg9LjC1FOBhUPROR/QtI6cL397Q8jd MigNp6giipLdF0VUT7vyYTV+ERwe36y+ybUaaEVy8+uGTsBbD9jqxd/oxeehZFeXCSX2 grRYNI0Hral29WHVGwm57ih4JcKU1ncvQoEWSri91p5gLgIYcqWV83A9Yig2Ee8eCWWh r5HWs+edCssejFxB/MeIl/1QA29nISoLC75tnXpLywToTu3vvqzjMmyvHbashiMbfl2s jSVQ== X-Gm-Message-State: AGRZ1gJ9ktEZQ2OgyNhbG5bKouDOCGy/HNmcbjjX14XFz4uGphOIGtNy Wa8K3lITXa5wflo7rkz8r2eRRh7VAYI= X-Received: by 2002:a81:3193:: with SMTP id x141-v6mr13040393ywx.448.1541191752084; Fri, 02 Nov 2018 13:49:12 -0700 (PDT) Received: from mail-yw1-f53.google.com (mail-yw1-f53.google.com. [209.85.161.53]) by smtp.gmail.com with ESMTPSA id q2-v6sm18735648ywa.24.2018.11.02.13.49.10 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 02 Nov 2018 13:49:10 -0700 (PDT) Received: by mail-yw1-f53.google.com with SMTP id v199-v6so1296639ywg.1 for ; Fri, 02 Nov 2018 13:49:10 -0700 (PDT) X-Received: by 2002:a0d:fec6:: with SMTP id o189-v6mr13322078ywf.237.1541191749802; Fri, 02 Nov 2018 13:49:09 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a25:3990:0:0:0:0:0 with HTTP; Fri, 2 Nov 2018 13:49:09 -0700 (PDT) In-Reply-To: <1541182406.20901.31.camel@linux.ibm.com> References: <20181011001846.30964-1-keescook@chromium.org> <20181011001846.30964-13-keescook@chromium.org> <1541182406.20901.31.camel@linux.ibm.com> From: Kees Cook Date: Fri, 2 Nov 2018 13:49:09 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH security-next v5 12/30] LSM: Provide separate ordered initialization To: Mimi Zohar Cc: James Morris , Casey Schaufler , John Johansen , Stephen Smalley , Paul Moore , Tetsuo Handa , Mimi Zohar , Randy Dunlap , Jordan Glover , LSM , "open list:DOCUMENTATION" , linux-arch , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Nov 2, 2018 at 11:13 AM, Mimi Zohar wrote: > I don't recall why "integrity" is on the security_initcall, while both > IMA and EVM are on the late_initcall(). It's because integrity needs to have a VFS buffer allocated extremely early, so it used the security init to do it. While it's not an LSM, it does use this part of LSM infrastructure. I didn't see an obvious alternative at the time, but now that I think about it, maybe just a simple postcore_initcall() would work? -Kees -- Kees Cook