Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp2984838pxm;
        Mon, 28 Feb 2022 09:44:51 -0800 (PST)
X-Google-Smtp-Source: ABdhPJz+TdcN0G4zee1mEsjlMxDaCOvY0quA+aACdTRfUraayfSwKaH+85XC+x+cCp5OBs2tvevD
X-Received: by 2002:a05:6402:358c:b0:412:e44e:f62c with SMTP id y12-20020a056402358c00b00412e44ef62cmr20442566edc.206.1646070291426;
        Mon, 28 Feb 2022 09:44:51 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1646070291; cv=none;
        d=google.com; s=arc-20160816;
        b=Czv870oXZk3mTp0HU0GzbE6+vLghJHTWf8hXTPRPCNrf66mEDIdutI0gYUwBmj86sI
         We81uypNy2fTTqyRcBqNLy5uI9/DdlzYnM4A5lTW5sqtBqejMIihjICVO/dn94C38odr
         q2/ikmMov2u30JhFO+UeiwLJXYn4Yb6gNPMKZk7/7u9moHFHzbocEh/lo6p+mDY52F+E
         dJXwR0Puegmvicu5oApMA7bXC6bktfTkDqPs+F6w33EKIiTNPzss1eemO8Dreutch0tH
         qu4jLdwpmVTibi6gVbU//iYTmigji3kpM2PTcLzRyBdfQBkvye0pMjSE0ZRDNSfno2zw
         mAvQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:date:cc:to:from:subject:message-id
         :dkim-signature;
        bh=CTDN8RZUPUuP8F+u+9VEaIHWUJd1d/j/SNjzUzHMsL0=;
        b=D8AkUkqUcc8fmHDVPahAYD5Hmfu6zmd2XcHBSIsnbZsMkHLjgY6IqvAEDaVMr7Qa39
         ZV/9iWmCP3ueFaMvBArwuDRCRN3aqMnWz4vcyMdXhPdcWin2fJACXeKKs5XErFP4VsKv
         Vst3/vI1DHc8aM4iYmYs/SkLDsDMh3i6T/IwM3ObBgfkuoDIXTcIO5inFCsnkKfomEs4
         4TbT520A5w3KdYyICnQ8J7yyCKrTShlpAbzbfhPCFiHReroasOJPVLTbWhYafpxHyZWt
         Lb99TUcmMSKUmDdrd5yR6nPpDeipYcHCgfF4qvzzF0XRMN7NW1KWMzVuadOn8H+zQoCc
         De0A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ibm.com header.s=pp1 header.b=qITNstVx;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id o28-20020a05640219bc00b00412e5ea2339si7344986edz.356.2022.02.28.09.44.29;
        Mon, 28 Feb 2022 09:44:51 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ibm.com header.s=pp1 header.b=qITNstVx;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238020AbiB1Qte (ORCPT <rfc822;ankurbansal210989@gmail.com>
        + 99 others); Mon, 28 Feb 2022 11:49:34 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49306 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S237790AbiB1Qtc (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 28 Feb 2022 11:49:32 -0500
Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1696C23BC4;
        Mon, 28 Feb 2022 08:48:53 -0800 (PST)
Received: from pps.filterd (m0098413.ppops.net [127.0.0.1])
        by mx0b-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 21SG8Y43024567;
        Mon, 28 Feb 2022 16:48:40 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : subject :
 from : to : cc : date : in-reply-to : references : content-type :
 mime-version : content-transfer-encoding; s=pp1;
 bh=CTDN8RZUPUuP8F+u+9VEaIHWUJd1d/j/SNjzUzHMsL0=;
 b=qITNstVxkqf0oZQv+I0q/cOEGAQJ1X//k4iU46EaRRWuYjSACMj9cDV2MLVzuOJlAHqZ
 as7wAQqm8fXNl95IUsJIIc0sIN2LgogUANyHOXeN55odEg/Q08niQOAw7P64i/MHpVZR
 G66D5h8sEFHZ3BRK0D7VYTx6PaB2l4dwUU+GITeqz3eL4EokQoVp9P1uvIjMP8N7yRJA
 M6MHrR01Ho/jQ7xlve4AvS1bjur2TP3jA/vA/BVXsPb5lBkwNF78PndobNRUftWr9IY4
 liA6wLrQPXzgrllaW36TEMIninMNy3JODjBuK+KPR+oxdE0YZL8Dymw16BcgFaFix0LO jw== 
Received: from pps.reinject (localhost [127.0.0.1])
        by mx0b-001b2d01.pphosted.com with ESMTP id 3eh0tq2cuh-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Mon, 28 Feb 2022 16:48:40 +0000
Received: from m0098413.ppops.net (m0098413.ppops.net [127.0.0.1])
        by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 21SG9YNE026749;
        Mon, 28 Feb 2022 16:48:39 GMT
Received: from ppma04ams.nl.ibm.com (63.31.33a9.ip4.static.sl-reverse.com [169.51.49.99])
        by mx0b-001b2d01.pphosted.com with ESMTP id 3eh0tq2cu3-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Mon, 28 Feb 2022 16:48:39 +0000
Received: from pps.filterd (ppma04ams.nl.ibm.com [127.0.0.1])
        by ppma04ams.nl.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 21SGlL6h012770;
        Mon, 28 Feb 2022 16:48:38 GMT
Received: from b06cxnps4076.portsmouth.uk.ibm.com (d06relay13.portsmouth.uk.ibm.com [9.149.109.198])
        by ppma04ams.nl.ibm.com with ESMTP id 3egbj1442b-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Mon, 28 Feb 2022 16:48:37 +0000
Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61])
        by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 21SGmZaf52298016
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Mon, 28 Feb 2022 16:48:35 GMT
Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 7DCD311C04C;
        Mon, 28 Feb 2022 16:48:35 +0000 (GMT)
Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 1691811C052;
        Mon, 28 Feb 2022 16:48:34 +0000 (GMT)
Received: from sig-9-65-90-138.ibm.com (unknown [9.65.90.138])
        by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP;
        Mon, 28 Feb 2022 16:48:33 +0000 (GMT)
Message-ID: <cacde31235f08eeec698c63025a0eef81e10fe71.camel@linux.ibm.com>
Subject: Re: [PATCH 2/2] integrity: double check iint_cache was initialized
From:   Mimi Zohar <zohar@linux.ibm.com>
To:     Petr Vorel <pvorel@suse.cz>
Cc:     Casey Schaufler <casey@schaufler-ca.com>, dvyukov@google.com,
        ebiggers@kernel.org, jmorris@namei.org, keescook@chromium.org,
        linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-security-module@vger.kernel.org, serge@hallyn.com
Date:   Mon, 28 Feb 2022 11:48:33 -0500
In-Reply-To: <YhzRvhsOPxrKHzq9@pevik>
References: <20210322154207.6802-2-zohar@linux.ibm.com>
         <20220224142025.2587-1-pvorel@suse.cz>
         <418628ea-f524-05a1-8bfc-a688fa2d625d@schaufler-ca.com>
         <YhfDhYQYZTU0clAf@pevik>
         <9405bcfc-78bd-8e7f-41d4-b919221f73e4@schaufler-ca.com>
         <c4842493db13fd6f05eda54c1ef4c94e9d687850.camel@linux.ibm.com>
         <YhzRvhsOPxrKHzq9@pevik>
Content-Type: text/plain; charset="ISO-8859-15"
X-Mailer: Evolution 3.28.5 (3.28.5-18.el8) 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-TM-AS-GCONF: 00
X-Proofpoint-ORIG-GUID: QHE7bNUj7o1HHzUF2JUErdToGUpWyC_p
X-Proofpoint-GUID: Ahd4gYdJDBnigI7MtH2YBbiq5XUX9GfC
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.205,Aquarius:18.0.816,Hydra:6.0.425,FMLib:17.11.64.514
 definitions=2022-02-28_07,2022-02-26_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 mlxlogscore=955
 bulkscore=0 clxscore=1011 adultscore=0 lowpriorityscore=0 suspectscore=0
 phishscore=0 impostorscore=0 malwarescore=0 priorityscore=1501 spamscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2201110000
 definitions=main-2202280087
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_EF,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, 2022-02-28 at 14:44 +0100, Petr Vorel wrote:
> Hi Mimi, all,
> 
> > Hi Petr, Casey,
> 
> > On Thu, 2022-02-24 at 10:51 -0800, Casey Schaufler wrote:
> > > On 2/24/2022 9:42 AM, Petr Vorel wrote:
> 
> > > It was always my expectation, which appears to have been poorly
> > > communicated, that "making integrity an LSM" meant using the LSM
> > > hook infrastructure. Just adding "integrity" to lsm= doesn't make
> > > it an LSM to my mind.
> 
> > Agreed.  The actual commit that introduced the change was 3d6e5f6dcf65
> > ("LSM: Convert security_initcall() into DEFINE_LSM()").
> I wonder whether we can improve things now.

I'm not sure it is possible to revert the change.  Perhaps the simplest
solution would be to move integrity off the security hook.  It just
needs to be initialized before EVM and IMA.

thanks,

Mimi