> The second problem is that one security.evm is not enough. We need two, > to store the two different HMACs. And we need both at the same time, > since when overlayfs is mounted the lower/upper directories can be > still accessible. "Changes to the underlying filesystems while part of a mounted overlay filesystem are not allowed. If the underlying filesystem is changed, the behavior of the overlay is undefined, though it will not result in a crash or deadlock." https://docs.kernel.org/filesystems/overlayfs.html#changes-to-underlying-filesystems So I don't know why this would be a problem. > In the example I described, IMA tries to update security.ima, but this > causes EVM to attempt updating security.evm twice (once after the upper > filesystem performed the setxattr requested by overlayfs, another after > overlayfs performed the setxattr requested by IMA; the latter fails So I think phrasing it this way is confusiong. All that overlayfs does is to forward that setxattr request to the upper layer. So really the overlayfs layer here is irrelevant? > since EVM does not allow the VFS to directly update the HMAC). Callchains and details, please. I don't understand what you mean. > > Remapping security.evm to security.evm_overlayfs (now > trusted.overlay.evm) allows us to store both HMACs separately and to > know which one to use. > > I just realized that the new xattr name should be public, because EVM > rejects HMAC updates, so we should reject HMAC updates based on the new > xattr name too. I won't support any of this going in unless there's a comprehensive description of where this is all supposed to go and there's a comprehensive and coherent story of what EVM and IMA want to achieve for overlayfs or stacking filesystems in general. The past months we've seen a bunch of ductape to taper over this pretty basic question and there's no end in sight apparently. Really, we need a comprehensive solution for both IMA and EVM it seems. And before that is solved we'll not be merging anything of this sort and won't make any impactful uapi changes such as exposing a new security.* xattr.
