lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 19 Dec 2023 08:48:59 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: linux-unionfs@...r.kernel.org
Cc: Mimi Zohar <zohar@...ux.ibm.com>, linux-integrity@...r.kernel.org,
        linux-kernel@...r.kernel.org, Amir Goldstein <amir73il@...il.com>,
        Christian Brauner <brauner@...nel.org>,
        Seth Forshee <sforshee@...nel.org>,
        Roberto Sassu <roberto.sassu@...weicloud.com>
Subject: [PATCH 0/2] evm: disable EVM on overlayfs

EVM verifies the existing 'security.evm' value, before allowing it
to be updated.  The EVM HMAC and the original file signatures contain
filesystem specific metadata (e.g. i_ino, i_generation and s_uuid).

This poses a challenge when transitioning from the lower backing file
to the upper backing file.

Until a complete solution is developed, disable EVM on overlayfs.

Mimi Zohar (2):
  evm: don't copy up 'security.evm' xattr
  evm: add support to disable EVM on unsupported filesystems

 include/linux/evm.h               |  6 +++++
 security/integrity/evm/evm_main.c | 42 ++++++++++++++++++++++++++++++-
 security/security.c               |  4 +++
 3 files changed, 51 insertions(+), 1 deletion(-)

-- 
2.39.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ