[PATCH 0/2] evm: disable EVM on overlayfs

From: Mimi Zohar
Date: Tue Dec 19 2023 - 08:50:01 EST

Next message: Mimi Zohar: "[PATCH 2/2] evm: add support to disable EVM on unsupported filesystems"
Previous message: Mimi Zohar: "[PATCH 1/2] evm: don't copy up 'security.evm' xattr"
Next in thread: Mimi Zohar: "[PATCH 1/2] evm: don't copy up 'security.evm' xattr"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

EVM verifies the existing 'security.evm' value, before allowing it
to be updated. The EVM HMAC and the original file signatures contain
filesystem specific metadata (e.g. i_ino, i_generation and s_uuid).

This poses a challenge when transitioning from the lower backing file
to the upper backing file.

Until a complete solution is developed, disable EVM on overlayfs.

Mimi Zohar (2):
evm: don't copy up 'security.evm' xattr
evm: add support to disable EVM on unsupported filesystems

include/linux/evm.h | 6 +++++
security/integrity/evm/evm_main.c | 42 ++++++++++++++++++++++++++++++-
security/security.c | 4 +++
3 files changed, 51 insertions(+), 1 deletion(-)

--
2.39.3

Next message: Mimi Zohar: "[PATCH 2/2] evm: add support to disable EVM on unsupported filesystems"
Previous message: Mimi Zohar: "[PATCH 1/2] evm: don't copy up 'security.evm' xattr"
Next in thread: Mimi Zohar: "[PATCH 1/2] evm: don't copy up 'security.evm' xattr"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]