lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <da46b1105f294df78535f1f5b6833cd8e2a4262e.camel@linux.ibm.com>
Date: Tue, 09 Apr 2024 17:29:52 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Stefan Berger <stefanb@...ux.ibm.com>, linux-integrity@...r.kernel.org,
        linux-security-module@...r.kernel.org, linux-unionfs@...r.kernel.org
Cc: linux-kernel@...r.kernel.org, paul@...l-moore.com, jmorris@...ei.org,
        serge@...lyn.com, roberto.sassu@...wei.com, amir73il@...il.com,
        brauner@...nel.org, miklos@...redi.hu
Subject: Re: [PATCH v3 00/10] evm: Support signatures on stacked filesystem

On Fri, 2024-02-23 at 12:25 -0500, Stefan Berger wrote:
> EVM signature verification on stacked filesystem has recently been
> completely disabled by declaring some filesystems as unsupported
> (only overlayfs). This series now enables copy-up of "portable
> and immutable" signatures on those filesystems and enables the
> enforcement of "portable and immultable" as well as the "original"
> signatures on previously unsupported filesystem when evm is enabled
> with EVM_INIT_X509. HMAC verification and generation remains disabled.
> 
> "Portable and immutable" signatures can be copied up since they are
> not created over file-specific metadata, such as UUID or generation.
> Instead, they are only covering file metadata such as mode bits, uid, and
> gid, that will all be preserved during a copy-up of the file metadata.
> 
> This series is now based on the 'next' branch of Paul Moore's LSM tree and
> requires the following two commits from the vfs.misc branch of the vfs git
> repo at https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
> 
> commit 2109cc619e73 ("fs: remove the inode argument to ->d_real() method")
> commit c6c14f926fbe ("fs: make file_dentry() a simple accessor")

Thanks, Stefan.  The patch set is now queued in the next-integrity branch.
https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git/

Mimi


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ