Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp654206rwb; Thu, 12 Jan 2023 10:30:18 -0800 (PST) X-Google-Smtp-Source: AMrXdXtisLESy2HD6sylJlrZwOXnjgJ2P2+QKGKd80VFcJWLhScDtrzvdJojGJ1+21eEsWed9zTH X-Received: by 2002:a05:6a20:d399:b0:ac:7539:389f with SMTP id iq25-20020a056a20d39900b000ac7539389fmr100144793pzb.56.1673548217901; Thu, 12 Jan 2023 10:30:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673548217; cv=none; d=google.com; s=arc-20160816; b=zje3PzXLvnJFy2XFUhVZR1fppU52eCRQK9X0Cu3KVatIKwNuaefwPKrtpVw6r8WXoG Oyo7JstyFfAW8BaXlw5yDnu8aGhs/mcLO6jPygqpr3MEXEoWT2zPQMDnli0TT/tS2FVQ bvODeOXIa8c5i6ZETUTwuDg0FTY/5UPgnZ1bVfYP+9PTXItCvXUqoOPhcX4cRxUJVssU 6hlLUViViQtkXLSDMns3qPid6m9wioLpPuq03zrmdX4PIllQyUo17NVG3WMCbTkg8eSr Ug2L7MoA3cDAOfi8Fqik7KiP086ZtUf19JXBT5Km8ePmPS8NdiM+Gt6dxlPQ3xEuCYTe rt9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=nzSuljwXCaXyiAVCXAx1oRKKeIjSI3nJRRGJJx1quUQ=; b=EaKJKaBUyZ/OoHHpxkfORNqOsWqCH+NLjG7lT/lcvYah4vtYN4VbkdC+1fLt7x2RAl lgYeCXPzYO6bW+zpqd24d7P1Jkshh/XgMalXk4aJhdpWUHmaZ8mDH7Jtq45embutxj+N Dor0NX0r3a66eAlWnNtAmbbqUwrcEvUfRg2XhFjA/fywYK5dec142tGVccAt5bsw2mQM mAS+y1s4rFKT2F/aQ3KIiq59IHK8YL30cO6zRLHRwDI5Pwr240dOppKgQsyjKfvuQd88 X/skX/M1TEMbjs5ZAkGToSvasKVxJJMBhMjsKsCpd3EPIP6w7Y9hJ7tc5rZRZA9CRU3G NUgw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=MFOcCfEZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id rm13-20020a17090b3ecd00b00219044e1bbdsi20127664pjb.25.2023.01.12.10.30.11; Thu, 12 Jan 2023 10:30:17 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=MFOcCfEZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230166AbjALR4X (ORCPT + 50 others); Thu, 12 Jan 2023 12:56:23 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38454 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230385AbjALR4Q (ORCPT ); Thu, 12 Jan 2023 12:56:16 -0500 Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 00D2A55840 for ; Thu, 12 Jan 2023 09:16:03 -0800 (PST) Received: by mail-pf1-x42f.google.com with SMTP id a184so14275156pfa.9 for ; Thu, 12 Jan 2023 09:16:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=nzSuljwXCaXyiAVCXAx1oRKKeIjSI3nJRRGJJx1quUQ=; b=MFOcCfEZ7Cjmr3WB5GH4eeEn0165eiypBPdejoqXwokek49v/AySoZEAZw9j2oDcmq y4J6DEeYf3KOdxex0i3awGU/lJNKOesgPify/ePlg8mxB+jk23/SKGnDkwfjKWs723G+ 5fTI4dD97IJHbv3KYFmaYeEhLvdEO5RWppT7C9xSdlKh60iFFNFBADUu4kCkp7oLBgpM RQWj59jEMMtexCUU92taNzVkPyGJ6EsQ4nGL8WFfh1sHrh7w0DJkEzpsadnRGZ+k5KlX 9RKXsLyYhkqNOIn6C//zs9Slur/qUqHuCKIuWKiASSuuMe2SyhJoPMmQAvRwAOR8UYA5 lbew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=nzSuljwXCaXyiAVCXAx1oRKKeIjSI3nJRRGJJx1quUQ=; b=qM+UCW7Sugg7u/sVSHQIwALfcyQq8wK0bFTHPVNb6Jgh5RNkC0f9jVbi1wE8VEKyKD ma0EBBt5EaUguGg98ej4Ni8O6zl17xnnIIzgpqVArwPucOdieaSUAlVm7xVdXGwC2PiV 75uo70ycbL+ammh+NXWGqO4xxS+6JyhM1kbp9Qd8xiUxuE+18a0ZI9X0GPqSYDaAYLDf RN277FZspca+jCYnunAeEuPmonbHaABPn2LWT96pO+p7jzPhG+1nSNkY04A8aCNwy+7y Kvu8taB0+9Uxbijo01Rjvj/z2Y4kGRy0obUPl5MQsx61yIQyx9NmitDgiFwY97Y1Md6G N1Hg== X-Gm-Message-State: AFqh2kpDLvYhn9vAZWt27iBEpPsp5xCjaOlbdUXf8Kd+KRk3Qi+1kYwT 6KDQIEJ6yg13iPVVN6389pY0HJSK8uwOmMx1s/md X-Received: by 2002:a62:158f:0:b0:588:e66e:4f05 with SMTP id 137-20020a62158f000000b00588e66e4f05mr1300557pfv.23.1673543763211; Thu, 12 Jan 2023 09:16:03 -0800 (PST) MIME-Version: 1.0 References: <20221201104125.919483-1-roberto.sassu@huaweicloud.com> In-Reply-To: <20221201104125.919483-1-roberto.sassu@huaweicloud.com> From: Paul Moore Date: Thu, 12 Jan 2023 12:15:51 -0500 Message-ID: Subject: Re: [PATCH v7 0/6] evm: Do HMAC of multiple per LSM xattrs for new inodes To: Roberto Sassu Cc: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com, stephen.smalley.work@gmail.com, eparis@parisplace.org, casey@schaufler-ca.com, ocfs2-devel@oss.oracle.com, reiserfs-devel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-kernel@vger.kernel.org, keescook@chromium.org, nicolas.bouchinet@clip-os.org, Roberto Sassu Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Dec 1, 2022 at 5:42 AM Roberto Sassu wrote: > > From: Roberto Sassu > > One of the major goals of LSM stacking is to run multiple LSMs side by side > without interfering with each other. The ultimate decision will depend on > individual LSM decision. > > Several changes need to be made to the LSM infrastructure to be able to > support that. This patch set tackles one of them: gives to each LSM the > ability to specify one or multiple xattrs to be set at inode creation > time and, at the same time, gives to EVM the ability to access all those > xattrs and calculate the HMAC on them. ... > The patch set has been tested with both the SElinux and Smack test suites. > Below, there is the summary of the test results: > > SELinux Test Suite result (without patches): > Files=73, Tests=1346, 225 wallclock secs ( 0.43 usr 0.23 sys + 6.11 cusr 58.70 csys = 65.47 CPU) > Result: FAIL > Failed 4/73 test programs. 13/1346 subtests failed. > > SELinux Test Suite result (with patches): > Files=73, Tests=1346, 225 wallclock secs ( 0.44 usr 0.22 sys + 6.15 cusr 59.94 csys = 66.75 CPU) > Result: FAIL > Failed 4/73 test programs. 13/1346 subtests failed. Can you provide some more information on which of the selinux-testsuite tests failed? That shouldn't be happening and I'm a little concerned that these test failures, even if unrelated to your work here, could be masking failures which are related. -- paul-moore.com