Hi Linus,
Adding a new IMA/EVM maintainer and reviewer, disabling EVM on overlay, 1 bug
fix and 2 cleanups.
- The EVM HMAC and the original file signatures contain filesystem specific
metadata (e.g. i_ino, i_generation and s_uuid), preventing the security.evm
xattr from directly being copied up to the overlay. Further before calculating
and writing out the overlay file's EVM HMAC, EVM must first verify the existing
backing file's 'security.evm' value. For now until a solution is developed,
disable EVM on overlayfs.
thanks,
Mimi
The following changes since commit 2cc14f52aeb78ce3f29677c2de1f06c0e91471ab:
Linux 6.7-rc3 (2023-11-26 19:59:33 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v6.8
for you to fetch changes up to c00f94b3a5be428837868c0f2cdaa3fa5b4b1995:
overlay: disable EVM (2023-12-20 07:40:50 -0500)
----------------------------------------------------------------
integrity-v6.8
----------------------------------------------------------------
Chen Ni (1):
KEYS: encrypted: Add check for strsep
Eric Snowberg (2):
ima: Reword IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
ima: Remove EXPERIMENTAL from Kconfig
Mimi Zohar (5):
MAINTAINERS: Add Roberto Sassu as co-maintainer to IMA and EVM
MAINTAINERS: Add Eric Snowberg as a reviewer to IMA
evm: don't copy up 'security.evm' xattr
evm: add support to disable EVM on unsupported filesystems
overlay: disable EVM
MAINTAINERS | 3 +++
fs/overlayfs/super.c | 1 +
include/linux/evm.h | 6 +++++
include/linux/fs.h | 1 +
security/integrity/evm/evm_main.c | 42 +++++++++++++++++++++++++++++++-
security/integrity/ima/Kconfig | 10 ++++----
security/keys/encrypted-keys/encrypted.c | 4 +++
security/security.c | 2 +-
8 files changed, 62 insertions(+), 7 deletions(-)
