On Mon, Jul 21, 2025 at 7:24 PM Paul Moore <p...@paul-moore.com> wrote: > > This patch converts IMA and EVM to use the LSM frameworks's initcall > mechanism. There was a minor challenge in this conversion that wasn't > seen when converting the other LSMs brought about by the resource > sharing between the two related, yes independent IMA and EVM LSMs. > This was resolved by registering the same initcalls for each LSM and > including code in each registered initcall to ensure it only executes > once during each boot. > > It is worth mentioning that this patch does not touch any of the > "platform certs" code that lives in the security/integrity/platform_certs > directory as the IMA/EVM maintainers have assured me that this code is > unrelated to IMA/EVM, despite the location, and will be moved to a more > relevant subsystem in the future. > > Signed-off-by: Paul Moore <p...@paul-moore.com> > --- > security/integrity/Makefile | 2 +- > security/integrity/evm/evm_main.c | 6 ++--- > security/integrity/iint.c | 4 +-- > security/integrity/ima/ima_main.c | 6 ++--- > security/integrity/initcalls.c | 41 +++++++++++++++++++++++++++++++ > security/integrity/initcalls.h | 13 ++++++++++ > 6 files changed, 63 insertions(+), 9 deletions(-) > create mode 100644 security/integrity/initcalls.c > create mode 100644 security/integrity/initcalls.h
... > diff --git a/security/integrity/initcalls.h b/security/integrity/initcalls.h > new file mode 100644 > index 000000000000..5511c62f8166 > --- /dev/null > +++ b/security/integrity/initcalls.h > @@ -0,0 +1,13 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > + > +#ifndef PLATFORM_CERTS_INITCALLS_H > +#define PLATFORM_CERTS_INITCALLS_H Ooops, the above two lines can obviously be removed, vestiges of the previous revision. > +int integrity_fs_init(void); > + > +int init_ima(void); > +int init_evm(void); > + > +int integrity_late_init(void); > + > +#endif > -- > 2.50.1 -- paul-moore.com
