diff options
| author | Stefan Berger <stefanb@linux.ibm.com> | 2024-02-23 20:25:11 +0300 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.ibm.com> | 2024-04-10 00:14:57 +0300 |
| commit | 47add87ad181473e5ef2438918669540ba5016a6 (patch) | |
| tree | c684b07c6bea4a972cf5f6609d210859c16e9d23 /include/linux/fs_pin.h | |
| parent | cd9b909a117210bfd77a89bb06a3154c1fc51b51 (diff) | |
| download | linux-47add87ad181473e5ef2438918669540ba5016a6.tar.xz | |
evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509
Unsupported filesystems currently do not enforce any signatures. Add
support for signature enforcement of the "original" and "portable &
immutable" signatures when EVM_INIT_X509 is enabled.
The "original" signature type contains filesystem specific metadata.
Thus it cannot be copied up and verified. However with EVM_INIT_X509
and EVM_ALLOW_METADATA_WRITES enabled, the "original" file signature
may be written.
When EVM_ALLOW_METADATA_WRITES is not set or once it is removed from
/sys/kernel/security/evm by setting EVM_INIT_HMAC for example, it is not
possible to write or remove xattrs on the overlay filesystem.
This change still prevents EVM from writing HMAC signatures on
unsupported filesystem when EVM_INIT_HMAC is enabled.
Co-developed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'include/linux/fs_pin.h')
0 files changed, 0 insertions, 0 deletions