EVM verifies the existing 'security.evm' value, before allowing it to be updated. The EVM HMAC and the original file signatures contain filesystem specific metadata (e.g. i_ino, i_generation and s_uuid). This poses a challenge when transitioning from the lower backing file to the upper backing file. Until a complete solution is developed, disable EVM on overlayfs. Changelog v2: Addressed Amir's comments: - Simplified security_inode_copy_up_xattr() return. - Identified filesystems that don't support EVM based on a new SB_I flag. Mimi Zohar (3): evm: don't copy up 'security.evm' xattr evm: add support to disable EVM on unsupported filesystems overlay: disable EVM fs/overlayfs/super.c | 1 + include/linux/evm.h | 6 +++++ include/linux/fs.h | 1 + security/integrity/evm/evm_main.c | 42 ++++++++++++++++++++++++++++++- security/security.c | 2 +- 5 files changed, 50 insertions(+), 2 deletions(-) -- 2.39.3
