[PATCH v2 0/3] evm: disable EVM on overlayfs

From: Mimi Zohar
Date: Tue Dec 19 2023 - 12:58:10 EST

Next message: fan: "Re: [PATCH v2 2/2] cxl/cdat: Fix header sum value in CDAT checksum"
Previous message: Paul Cercueil: "[PATCH v5 8/8] Documentation: iio: Document high-speed DMABUF based API"
Next in thread: Mimi Zohar: "[PATCH v2 1/3] evm: don't copy up 'security.evm' xattr"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

EVM verifies the existing 'security.evm' value, before allowing it
to be updated. The EVM HMAC and the original file signatures contain
filesystem specific metadata (e.g. i_ino, i_generation and s_uuid).

This poses a challenge when transitioning from the lower backing file
to the upper backing file.

Until a complete solution is developed, disable EVM on overlayfs.

Changelog v2:
Addressed Amir's comments:
- Simplified security_inode_copy_up_xattr() return.
- Identified filesystems that don't support EVM based on a new SB_I flag.

Mimi Zohar (3):
evm: don't copy up 'security.evm' xattr
evm: add support to disable EVM on unsupported filesystems
overlay: disable EVM

fs/overlayfs/super.c | 1 +
include/linux/evm.h | 6 +++++
include/linux/fs.h | 1 +
security/integrity/evm/evm_main.c | 42 ++++++++++++++++++++++++++++++-
security/security.c | 2 +-
5 files changed, 50 insertions(+), 2 deletions(-)

--
2.39.3

Next message: fan: "Re: [PATCH v2 2/2] cxl/cdat: Fix header sum value in CDAT checksum"
Previous message: Paul Cercueil: "[PATCH v5 8/8] Documentation: iio: Document high-speed DMABUF based API"
Next in thread: Mimi Zohar: "[PATCH v2 1/3] evm: don't copy up 'security.evm' xattr"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]