All of lore.kernel.org
 help / color / mirror / Atom feed
From: Stefan Berger <stefanb@linux.ibm.com>
To: linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-unionfs@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, paul@paul-moore.com,
	jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com,
	roberto.sassu@huawei.com, amir73il@gmail.com, miklos@szeredi.hu,
	Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH 0/5] evm: Support signatures on stacked filesystem
Date: Tue, 30 Jan 2024 16:46:15 -0500	[thread overview]
Message-ID: <20240130214620.3155380-1-stefanb@linux.ibm.com> (raw)

EVM has recently been completely disabled on unsupported (e.g.,
overlayfs). This series now enables copy-up of "portable and immutable"
signatures on those filesystems and enables the enforcement of
"portable and immutable" as well as the "original" signatures on
previously unsupported filesystem when EVM is enabled with EVM_INIT_X509.
HMAC verification and generation remains disabled on those filesystems.

Regards,
   Stefan

Stefan Berger (5):
  security: allow finer granularity in permitting copy-up of security
    xattrs
  evm: Implement per signature type decision in
    security_inode_copy_up_xattr
  ima: Reset EVM status upon detecting changes to overlay backing file
  evm: Use the real inode's metadata to calculate metadata hash
  evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509

 fs/overlayfs/copy_up.c              |  2 +-
 include/linux/evm.h                 | 10 +++++-
 include/linux/lsm_hook_defs.h       |  3 +-
 include/linux/security.h            |  4 +--
 security/integrity/evm/evm_crypto.c |  2 +-
 security/integrity/evm/evm_main.c   | 48 +++++++++++++++++++++++------
 security/integrity/ima/ima_main.c   |  2 ++
 security/security.c                 |  7 +++--
 security/selinux/hooks.c            |  2 +-
 security/smack/smack_lsm.c          |  2 +-
 10 files changed, 62 insertions(+), 20 deletions(-)

-- 
2.43.0


             reply	other threads:[~2024-01-30 21:46 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-30 21:46 Stefan Berger [this message]
2024-01-30 21:46 ` [PATCH 1/5] security: allow finer granularity in permitting copy-up of security xattrs Stefan Berger
2024-01-31 13:25   ` Amir Goldstein
2024-01-31 14:25     ` Christian Brauner
2024-01-31 14:56       ` Stefan Berger
2024-02-01 13:35         ` Christian Brauner
2024-02-01 14:18           ` Amir Goldstein
2024-02-02 11:58             ` Christian Brauner
2024-02-01 15:41     ` Stefan Berger
2024-01-31 16:47   ` kernel test robot
2024-01-31 19:06   ` kernel test robot
2024-01-30 21:46 ` [PATCH 2/5] evm: Implement per signature type decision in security_inode_copy_up_xattr Stefan Berger
2024-01-31 13:28   ` Amir Goldstein
2024-01-30 21:46 ` [PATCH 3/5] ima: Reset EVM status upon detecting changes to overlay backing file Stefan Berger
2024-01-31 13:56   ` Amir Goldstein
2024-01-31 14:46     ` Stefan Berger
2024-01-30 21:46 ` [PATCH 4/5] evm: Use the real inode's metadata to calculate metadata hash Stefan Berger
2024-01-31  2:10   ` Stefan Berger
2024-01-31 13:16     ` Amir Goldstein
2024-01-31 14:40       ` Stefan Berger
2024-01-31 15:54         ` Amir Goldstein
2024-01-31 17:23           ` Amir Goldstein
2024-01-31 17:46             ` Stefan Berger
2024-02-01 12:10               ` Amir Goldstein
2024-02-01 13:36                 ` Stefan Berger
2024-02-01 14:11                   ` Amir Goldstein
2024-02-01 20:35                     ` Stefan Berger
2024-02-02  9:24                       ` Amir Goldstein
2024-02-02 14:59                         ` Stefan Berger
2024-02-02 15:51                           ` Amir Goldstein
2024-02-02 16:06                             ` Stefan Berger
2024-02-02 16:17                               ` Amir Goldstein
2024-02-02 16:30                                 ` Stefan Berger
2024-01-31 17:25           ` Stefan Berger
2024-01-30 21:46 ` [PATCH 5/5] evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509 Stefan Berger
2024-01-31 14:06   ` Amir Goldstein
2024-02-01 17:53     ` Mimi Zohar
2024-01-31 13:18 ` [PATCH 0/5] evm: Support signatures on stacked filesystem Amir Goldstein
2024-01-31 14:52   ` Stefan Berger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240130214620.3155380-1-stefanb@linux.ibm.com \
    --to=stefanb@linux.ibm.com \
    --cc=amir73il@gmail.com \
    --cc=jmorris@namei.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=linux-unionfs@vger.kernel.org \
    --cc=miklos@szeredi.hu \
    --cc=paul@paul-moore.com \
    --cc=roberto.sassu@huawei.com \
    --cc=serge@hallyn.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.