On Tue, Dec 19, 2023 at 3:49 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
>
> Don't verify, write, remove or update 'security.evm' on unsupported
> filesystems.
>
> Temporarily define overlayfs as an unsupported filesystem until
> a complete solution is developed.
>
> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
> ---
> security/integrity/evm/evm_main.c | 35 ++++++++++++++++++++++++++++++-
> 1 file changed, 34 insertions(+), 1 deletion(-)
>
> diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
> index 02adba635b02..aa6d32a07d20 100644
> --- a/security/integrity/evm/evm_main.c
> +++ b/security/integrity/evm/evm_main.c
> @@ -151,6 +151,17 @@ static int evm_find_protected_xattrs(struct dentry *dentry)
> return count;
> }
>
> +static int is_unsupported_fs(struct dentry *dentry)
> +{
> + struct inode *inode = d_backing_inode(dentry);
> +
> + if (strcmp(inode->i_sb->s_type->name, "overlay") == 0) {
> + pr_info_once("overlayfs not supported\n");
> + return 1;
> + }
Please do not special case overlayfs in and please do not use the
fs name to detect support.
Please define an sb flag like SB_I_IMA_UNVERIFIABLE_SIGNATURE
to disable EVM and set this flag in ovl_fill_super().
Thanks,
Amir.
