EVM has recently been completely disabled on unsupported (e.g., overlayfs). This series now enables copy-up of "portable and immutable" signatures on those filesystems and enables the enforcement of "portable and immutable" as well as the "original" signatures on previously unsupported filesystem when EVM is enabled with EVM_INIT_X509. HMAC verification and generation remains disabled on those filesystems. Regards, Stefan Stefan Berger (5): security: allow finer granularity in permitting copy-up of security xattrs evm: Implement per signature type decision in security_inode_copy_up_xattr ima: Reset EVM status upon detecting changes to overlay backing file evm: Use the real inode's metadata to calculate metadata hash evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509 fs/overlayfs/copy_up.c | 2 +- include/linux/evm.h | 10 +++++- include/linux/lsm_hook_defs.h | 3 +- include/linux/security.h | 4 +-- security/integrity/evm/evm_crypto.c | 2 +- security/integrity/evm/evm_main.c | 48 +++++++++++++++++++++++------ security/integrity/ima/ima_main.c | 2 ++ security/security.c | 7 +++-- security/selinux/hooks.c | 2 +- security/smack/smack_lsm.c | 2 +- 10 files changed, 62 insertions(+), 20 deletions(-) -- 2.43.0