On Thu, 2023-04-20 at 10:50 +0200, Roberto Sassu wrote: > > > > It's possible. It's been a long time since I've looked at this. > > I'm tempted to take a change to make overlayfs work upstream and > > then worry about the ima changes. There seems to be a lot more > > going on with the ima changes than is obvious from what's in the > > Smack code. It doesn't sound like the patch set introduces the overlayfs bug. The security_inode_init_security() change to initialize multiple LSMs and IMA xattrs and include them in the EVM hmac calculation is straight forward. In addition, the patch set creates the infrastructure for allowing multiple per LSM xattrs, as requested, to be initialized in security_inode_init_security() and included in the EVM hmac. Mimi > We could also set only SMACK64 in smack_inode_init_security(), and move > SMACKTRANSMUTE64 later, when we figure out how to fix the case of > overlayfs. > > IMA and EVM would work in both cases.
