On Tue, Dec 19, 2023 at 12:52:03PM -0500, Mimi Zohar wrote: > EVM verifies the existing 'security.evm' value, before allowing it > to be updated. The EVM HMAC and the original file signatures contain > filesystem specific metadata (e.g. i_ino, i_generation and s_uuid). > > This poses a challenge when transitioning from the lower backing file > to the upper backing file. > > Until a complete solution is developed, disable EVM on overlayfs. > > Changelog v2: > Addressed Amir's comments: > - Simplified security_inode_copy_up_xattr() return. > - Identified filesystems that don't support EVM based on a new SB_I flag. We're wasting a flag for a single filesystem but we do have enough of them left so I think this is ok, Reviewed-by: Christian Brauner <brauner@xxxxxxxxxx>
