lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240205182506.3569743-1-stefanb@linux.ibm.com>
Date: Mon,  5 Feb 2024 13:24:57 -0500
From: Stefan Berger <stefanb@...ux.ibm.com>
To: linux-integrity@...r.kernel.org, linux-security-module@...r.kernel.org,
        linux-unionfs@...r.kernel.org
Cc: linux-kernel@...r.kernel.org, paul@...l-moore.com, jmorris@...ei.org,
        serge@...lyn.com, zohar@...ux.ibm.com, roberto.sassu@...wei.com,
        amir73il@...il.com, brauner@...nel.org, miklos@...redi.hu,
        Stefan Berger <stefanb@...ux.ibm.com>
Subject: [PATCH v2 0/9] evm: Support signatures on stacked filesystem

EVM signature verification on stacked filesystem has recently been
completely disabled by declaring some filesystems as unsupported
(only overlayfs). This series now enables copy-up of "portable
and immutable" signatures on those filesystems and enables the
enforcement of "portable and immultable" as well as the "original"
signatures on previously unsupported filesystem when evm is enabled
with EVM_INIT_X509. HMAC verification and generation remains disabled.

"Portable and immutable" signatures can be copied up since they are
not created over file-specific metadata, such as UUID or generation.
Instead, they are only covering file metadata such as mode bits, uid, and
gid, that will all be preserved during a copy-up of the file metadata.

Regards,
   Stefan

v2:
  - Added patch to rename backing_inode to real_inode (1/9)
  - Added patches renaming flag and function due to RSA enablement (7,8/9)
  - Added patch to record i_version of real_inode for change detection (9/9)
  - Use Amir's function to get inode holding metadata now (4,5/9)

Stefan Berger (9):
  ima: Rename backing_inode to real_inode
  security: allow finer granularity in permitting copy-up of security
    xattrs
  evm: Implement per signature type decision in
    security_inode_copy_up_xattr
  ima: Reset EVM status upon detecting changes to the real file
  evm: Use the inode holding the metadata to calculate metadata hash
  evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509
  fs: Rename SB_I_EVM_UNSUPPORTED to SB_I_EVM_HMAC_UNSUPPORTED
  evm: Rename is_unsupported_fs to is_unsupported_hmac_fs
  ima: Record i_version of real_inode for change detection

 fs/overlayfs/copy_up.c              |  2 +-
 fs/overlayfs/super.c                |  2 +-
 include/linux/evm.h                 | 13 +++++-
 include/linux/fs.h                  |  2 +-
 include/linux/lsm_hook_defs.h       |  3 +-
 include/linux/security.h            |  4 +-
 security/integrity/evm/evm_crypto.c |  2 +-
 security/integrity/evm/evm_main.c   | 69 ++++++++++++++++++++++-------
 security/integrity/ima/ima_api.c    | 28 ++++++------
 security/integrity/ima/ima_main.c   | 23 ++++++----
 security/security.c                 |  7 +--
 security/selinux/hooks.c            |  2 +-
 security/smack/smack_lsm.c          |  2 +-
 13 files changed, 107 insertions(+), 52 deletions(-)

-- 
2.43.0


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ