EVM signature verification on stacked filesystem has recently been completely disabled by declaring some filesystems as unsupported (only overlayfs). This series now enables copy-up of "portable and immutable" signatures on those filesystems and enables the enforcement of "portable and immultable" as well as the "original" signatures on previously unsupported filesystem when evm is enabled with EVM_INIT_X509. HMAC verification and generation remains disabled. "Portable and immutable" signatures can be copied up since they are not created over file-specific metadata, such as UUID or generation. Instead, they are only covering file metadata such as mode bits, uid, and gid, that will all be preserved during a copy-up of the file metadata. Regards, Stefan v2: - Added patch to rename backing_inode to real_inode (1/9) - Added patches renaming flag and function due to RSA enablement (7,8/9) - Added patch to record i_version of real_inode for change detection (9/9) - Use Amir's function to get inode holding metadata now (4,5/9) Stefan Berger (9): ima: Rename backing_inode to real_inode security: allow finer granularity in permitting copy-up of security xattrs evm: Implement per signature type decision in security_inode_copy_up_xattr ima: Reset EVM status upon detecting changes to the real file evm: Use the inode holding the metadata to calculate metadata hash evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509 fs: Rename SB_I_EVM_UNSUPPORTED to SB_I_EVM_HMAC_UNSUPPORTED evm: Rename is_unsupported_fs to is_unsupported_hmac_fs ima: Record i_version of real_inode for change detection fs/overlayfs/copy_up.c | 2 +- fs/overlayfs/super.c | 2 +- include/linux/evm.h | 13 +++++- include/linux/fs.h | 2 +- include/linux/lsm_hook_defs.h | 3 +- include/linux/security.h | 4 +- security/integrity/evm/evm_crypto.c | 2 +- security/integrity/evm/evm_main.c | 69 ++++++++++++++++++++++------- security/integrity/ima/ima_api.c | 28 ++++++------ security/integrity/ima/ima_main.c | 23 ++++++---- security/security.c | 7 +-- security/selinux/hooks.c | 2 +- security/smack/smack_lsm.c | 2 +- 13 files changed, 107 insertions(+), 52 deletions(-) -- 2.43.0