[PATCH 0/5] evm: Support signatures on stacked filesystem

From: Stefan Berger
Date: Tue Jan 30 2024 - 16:47:32 EST


EVM has recently been completely disabled on unsupported (e.g.,
overlayfs). This series now enables copy-up of "portable and immutable"
signatures on those filesystems and enables the enforcement of
"portable and immutable" as well as the "original" signatures on
previously unsupported filesystem when EVM is enabled with EVM_INIT_X509.
HMAC verification and generation remains disabled on those filesystems.

Regards,
Stefan

Stefan Berger (5):
security: allow finer granularity in permitting copy-up of security
xattrs
evm: Implement per signature type decision in
security_inode_copy_up_xattr
ima: Reset EVM status upon detecting changes to overlay backing file
evm: Use the real inode's metadata to calculate metadata hash
evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509

fs/overlayfs/copy_up.c | 2 +-
include/linux/evm.h | 10 +++++-
include/linux/lsm_hook_defs.h | 3 +-
include/linux/security.h | 4 +--
security/integrity/evm/evm_crypto.c | 2 +-
security/integrity/evm/evm_main.c | 48 +++++++++++++++++++++++------
security/integrity/ima/ima_main.c | 2 ++
security/security.c | 7 +++--
security/selinux/hooks.c | 2 +-
security/smack/smack_lsm.c | 2 +-
10 files changed, 62 insertions(+), 20 deletions(-)

--
2.43.0