| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 19 Dec 2023 12:52:03 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: linux-unionfs@...r.kernel.org
Cc: Mimi Zohar <zohar@...ux.ibm.com>, linux-integrity@...r.kernel.org,
linux-kernel@...r.kernel.org, Amir Goldstein <amir73il@...il.com>,
Christian Brauner <brauner@...nel.org>,
Seth Forshee <sforshee@...nel.org>,
Roberto Sassu <roberto.sassu@...weicloud.com>
Subject: [PATCH v2 0/3] evm: disable EVM on overlayfs
EVM verifies the existing 'security.evm' value, before allowing it
to be updated. The EVM HMAC and the original file signatures contain
filesystem specific metadata (e.g. i_ino, i_generation and s_uuid).
This poses a challenge when transitioning from the lower backing file
to the upper backing file.
Until a complete solution is developed, disable EVM on overlayfs.
Changelog v2:
Addressed Amir's comments:
- Simplified security_inode_copy_up_xattr() return.
- Identified filesystems that don't support EVM based on a new SB_I flag.
Mimi Zohar (3):
evm: don't copy up 'security.evm' xattr
evm: add support to disable EVM on unsupported filesystems
overlay: disable EVM
fs/overlayfs/super.c | 1 +
include/linux/evm.h | 6 +++++
include/linux/fs.h | 1 +
security/integrity/evm/evm_main.c | 42 ++++++++++++++++++++++++++++++-
security/security.c | 2 +-
5 files changed, 50 insertions(+), 2 deletions(-)
--
2.39.3
Powered by blists - more mailing lists