On Wed, 2023-12-20 at 13:35 +0100, Christian Brauner wrote: > On Tue, Dec 19, 2023 at 12:52:03PM -0500, Mimi Zohar wrote: > > EVM verifies the existing 'security.evm' value, before allowing it > > to be updated. The EVM HMAC and the original file signatures contain > > filesystem specific metadata (e.g. i_ino, i_generation and s_uuid). > > > > This poses a challenge when transitioning from the lower backing file > > to the upper backing file. > > > > Until a complete solution is developed, disable EVM on overlayfs. > > > > Changelog v2: > > Addressed Amir's comments: > > - Simplified security_inode_copy_up_xattr() return. > > - Identified filesystems that don't support EVM based on a new SB_I flag. > > We're wasting a flag for a single filesystem but we do have enough of > them left so I think this is ok, Thanks, Christian. > > Reviewed-by: Christian Brauner <brauner@xxxxxxxxxx>
