diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2024-01-10 00:24:06 +0300 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2024-01-10 00:24:06 +0300 |
| commit | 6c1dd1fe5d8a1d43ed96e2e0ed44a88c73c5c039 (patch) | |
| tree | 08cf4521df75e4b7699f1abeb695985ce6ee26d9 /include | |
| parent | e9b4c5890858015bfe2089b7573319bcf4a92907 (diff) | |
| parent | c00f94b3a5be428837868c0f2cdaa3fa5b4b1995 (diff) | |
| download | linux-6c1dd1fe5d8a1d43ed96e2e0ed44a88c73c5c039.tar.xz | |
Merge tag 'integrity-v6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
Pull integrity updates from Mimi Zohar:
- Add a new IMA/EVM maintainer and reviewer
- Disable EVM on overlayfs
The EVM HMAC and the original file signatures contain filesystem
specific metadata (e.g. i_ino, i_generation and s_uuid), preventing
the security.evm xattr from directly being copied up to the overlay.
Further before calculating and writing out the overlay file's EVM
HMAC, EVM must first verify the existing backing file's
'security.evm' value.
For now until a solution is developed, disable EVM on overlayfs.
- One bug fix and two cleanups
* tag 'integrity-v6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
overlay: disable EVM
evm: add support to disable EVM on unsupported filesystems
evm: don't copy up 'security.evm' xattr
MAINTAINERS: Add Eric Snowberg as a reviewer to IMA
MAINTAINERS: Add Roberto Sassu as co-maintainer to IMA and EVM
KEYS: encrypted: Add check for strsep
ima: Remove EXPERIMENTAL from Kconfig
ima: Reword IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/evm.h | 6 | ||||
| -rw-r--r-- | include/linux/fs.h | 1 |
2 files changed, 7 insertions, 0 deletions
diff --git a/include/linux/evm.h b/include/linux/evm.h index 01fc495a83e2..36ec884320d9 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -31,6 +31,7 @@ extern void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, size_t xattr_value_len); +extern int evm_inode_copy_up_xattr(const char *name); extern int evm_inode_removexattr(struct mnt_idmap *idmap, struct dentry *dentry, const char *xattr_name); extern void evm_inode_post_removexattr(struct dentry *dentry, @@ -117,6 +118,11 @@ static inline void evm_inode_post_setxattr(struct dentry *dentry, return; } +static inline int evm_inode_copy_up_xattr(const char *name) +{ + return 0; +} + static inline int evm_inode_removexattr(struct mnt_idmap *idmap, struct dentry *dentry, const char *xattr_name) diff --git a/include/linux/fs.h b/include/linux/fs.h index 9314e8541745..e6ba0cc6f2ee 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1166,6 +1166,7 @@ extern int send_sigurg(struct fown_struct *fown); #define SB_I_USERNS_VISIBLE 0x00000010 /* fstype already mounted */ #define SB_I_IMA_UNVERIFIABLE_SIGNATURE 0x00000020 #define SB_I_UNTRUSTED_MOUNTER 0x00000040 +#define SB_I_EVM_UNSUPPORTED 0x00000080 #define SB_I_SKIP_SYNC 0x00000100 /* Skip superblock at global sync */ #define SB_I_PERSB_BDI 0x00000200 /* has a per-sb bdi */ |