lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20240130214620.3155380-1-stefanb@linux.ibm.com>
Date: Tue, 30 Jan 2024 16:46:15 -0500
From: Stefan Berger <stefanb@...ux.ibm.com>
To: linux-integrity@...r.kernel.org, linux-security-module@...r.kernel.org,
        linux-unionfs@...r.kernel.org
Cc: linux-kernel@...r.kernel.org, paul@...l-moore.com, jmorris@...ei.org,
        serge@...lyn.com, zohar@...ux.ibm.com, roberto.sassu@...wei.com,
        amir73il@...il.com, miklos@...redi.hu,
        Stefan Berger <stefanb@...ux.ibm.com>
Subject: [PATCH 0/5] evm: Support signatures on stacked filesystem

EVM has recently been completely disabled on unsupported (e.g.,
overlayfs). This series now enables copy-up of "portable and immutable"
signatures on those filesystems and enables the enforcement of
"portable and immutable" as well as the "original" signatures on
previously unsupported filesystem when EVM is enabled with EVM_INIT_X509.
HMAC verification and generation remains disabled on those filesystems.

Regards,
   Stefan

Stefan Berger (5):
  security: allow finer granularity in permitting copy-up of security
    xattrs
  evm: Implement per signature type decision in
    security_inode_copy_up_xattr
  ima: Reset EVM status upon detecting changes to overlay backing file
  evm: Use the real inode's metadata to calculate metadata hash
  evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509

 fs/overlayfs/copy_up.c              |  2 +-
 include/linux/evm.h                 | 10 +++++-
 include/linux/lsm_hook_defs.h       |  3 +-
 include/linux/security.h            |  4 +--
 security/integrity/evm/evm_crypto.c |  2 +-
 security/integrity/evm/evm_main.c   | 48 +++++++++++++++++++++++------
 security/integrity/ima/ima_main.c   |  2 ++
 security/security.c                 |  7 +++--
 security/selinux/hooks.c            |  2 +-
 security/smack/smack_lsm.c          |  2 +-
 10 files changed, 62 insertions(+), 20 deletions(-)

-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ