From: Mimi Zohar <zohar@linux.ibm.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-integrity <linux-integrity@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: [GIT PULL] integrity: subsystem updates for v6.8
Date: Tue, 09 Jan 2024 08:41:07 -0500 [thread overview]
Message-ID: <e4c5630fbd56ea57b51df50c4c7b0e865e89f4b6.camel@linux.ibm.com> (raw)
Hi Linus,
Adding a new IMA/EVM maintainer and reviewer, disabling EVM on overlay, 1 bug
fix and 2 cleanups.
- The EVM HMAC and the original file signatures contain filesystem specific
metadata (e.g. i_ino, i_generation and s_uuid), preventing the security.evm
xattr from directly being copied up to the overlay. Further before calculating
and writing out the overlay file's EVM HMAC, EVM must first verify the existing
backing file's 'security.evm' value. For now until a solution is developed,
disable EVM on overlayfs.
thanks,
Mimi
The following changes since commit 2cc14f52aeb78ce3f29677c2de1f06c0e91471ab:
Linux 6.7-rc3 (2023-11-26 19:59:33 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git tags/integrity-v6.8
for you to fetch changes up to c00f94b3a5be428837868c0f2cdaa3fa5b4b1995:
overlay: disable EVM (2023-12-20 07:40:50 -0500)
----------------------------------------------------------------
integrity-v6.8
----------------------------------------------------------------
Chen Ni (1):
KEYS: encrypted: Add check for strsep
Eric Snowberg (2):
ima: Reword IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
ima: Remove EXPERIMENTAL from Kconfig
Mimi Zohar (5):
MAINTAINERS: Add Roberto Sassu as co-maintainer to IMA and EVM
MAINTAINERS: Add Eric Snowberg as a reviewer to IMA
evm: don't copy up 'security.evm' xattr
evm: add support to disable EVM on unsupported filesystems
overlay: disable EVM
MAINTAINERS | 3 +++
fs/overlayfs/super.c | 1 +
include/linux/evm.h | 6 +++++
include/linux/fs.h | 1 +
security/integrity/evm/evm_main.c | 42 +++++++++++++++++++++++++++++++-
security/integrity/ima/Kconfig | 10 ++++----
security/keys/encrypted-keys/encrypted.c | 4 +++
security/security.c | 2 +-
8 files changed, 62 insertions(+), 7 deletions(-)
next reply other threads:[~2024-01-09 13:41 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-09 13:41 Mimi Zohar [this message]
2024-01-09 21:40 ` [GIT PULL] integrity: subsystem updates for v6.8 pr-tracker-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e4c5630fbd56ea57b51df50c4c7b0e865e89f4b6.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.