From: Stefan Berger <stefanb@linux.ibm.com>
To: linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-unionfs@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, paul@paul-moore.com,
jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com,
roberto.sassu@huawei.com, amir73il@gmail.com, brauner@kernel.org,
miklos@szeredi.hu, Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH v3 00/10] evm: Support signatures on stacked filesystem
Date: Fri, 23 Feb 2024 12:25:03 -0500 [thread overview]
Message-ID: <20240223172513.4049959-1-stefanb@linux.ibm.com> (raw)
EVM signature verification on stacked filesystem has recently been
completely disabled by declaring some filesystems as unsupported
(only overlayfs). This series now enables copy-up of "portable
and immutable" signatures on those filesystems and enables the
enforcement of "portable and immultable" as well as the "original"
signatures on previously unsupported filesystem when evm is enabled
with EVM_INIT_X509. HMAC verification and generation remains disabled.
"Portable and immutable" signatures can be copied up since they are
not created over file-specific metadata, such as UUID or generation.
Instead, they are only covering file metadata such as mode bits, uid, and
gid, that will all be preserved during a copy-up of the file metadata.
This series is now based on the 'next' branch of Paul Moore's LSM tree and
requires the following two commits from the vfs.misc branch of the vfs git
repo at https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
commit 2109cc619e73 ("fs: remove the inode argument to ->d_real() method")
commit c6c14f926fbe ("fs: make file_dentry() a simple accessor")
Regards,
Stefan
v3:
- Rebased series on 'next' branch of Paul Moore's LSM tree
- Reworing of commit descriptions
- Reworked patches 5-7
v2:
- Added patch to rename backing_inode to real_inode (1/9)
- Added patches renaming flag and function due to RSA enablement (7,8/9)
- Added patch to record i_version of real_inode for change detection
(9/9)
- Use Amir's function to get inode holding metadata now (4,5/9)
Stefan Berger (10):
ima: Rename backing_inode to real_inode
security: allow finer granularity in permitting copy-up of security
xattrs
evm: Implement per signature type decision in
security_inode_copy_up_xattr
evm: Use the metadata inode to calculate metadata hash
ima: Move file-change detection variables into new structure
evm: Store and detect metadata inode attributes changes
ima: re-evaluate file integrity on file metadata change
evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509
fs: Rename SB_I_EVM_UNSUPPORTED to SB_I_EVM_HMAC_UNSUPPORTED
evm: Rename is_unsupported_fs to is_unsupported_hmac_fs
fs/overlayfs/copy_up.c | 2 +-
fs/overlayfs/super.c | 2 +-
include/linux/evm.h | 8 +++
include/linux/fs.h | 2 +-
include/linux/integrity.h | 34 +++++++++++
include/linux/lsm_hook_defs.h | 3 +-
include/linux/security.h | 4 +-
security/integrity/evm/evm.h | 6 +-
security/integrity/evm/evm_crypto.c | 25 +++++---
security/integrity/evm/evm_main.c | 92 +++++++++++++++++++++++------
security/integrity/ima/ima.h | 4 +-
security/integrity/ima/ima_api.c | 10 ++--
security/integrity/ima/ima_iint.c | 2 +-
security/integrity/ima/ima_main.c | 31 +++++++---
security/security.c | 5 +-
security/selinux/hooks.c | 2 +-
security/smack/smack_lsm.c | 2 +-
17 files changed, 178 insertions(+), 56 deletions(-)
base-commit: f89d47833d28f101fce65c7d08c00a4d6f28c1b1
prerequisite-patch-id: c6c14f926fbe37330af6271d26f98e70d1a07372
prerequisite-patch-id: 2109cc619e733c8709250b62d7f1d43461589f57
--
2.43.0
next reply other threads:[~2024-02-23 17:25 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-23 17:25 Stefan Berger [this message]
2024-02-23 17:25 ` [PATCH v3 01/10] ima: Rename backing_inode to real_inode Stefan Berger
2024-03-19 22:50 ` Mimi Zohar
2024-02-23 17:25 ` [PATCH v3 02/10] security: allow finer granularity in permitting copy-up of security xattrs Stefan Berger
2024-03-19 22:51 ` Mimi Zohar
2024-02-23 17:25 ` [PATCH v3 03/10] evm: Implement per signature type decision in security_inode_copy_up_xattr Stefan Berger
2024-03-19 22:51 ` Mimi Zohar
2024-02-23 17:25 ` [PATCH v3 04/10] evm: Use the metadata inode to calculate metadata hash Stefan Berger
2024-03-19 22:51 ` Mimi Zohar
2024-02-23 17:25 ` [PATCH v3 05/10] ima: Move file-change detection variables into new structure Stefan Berger
2024-02-23 17:25 ` [PATCH v3 06/10] evm: Store and detect metadata inode attributes changes Stefan Berger
2024-02-23 17:25 ` [PATCH v3 07/10] ima: re-evaluate file integrity on file metadata change Stefan Berger
2024-03-19 22:53 ` Mimi Zohar
2024-02-23 17:25 ` [PATCH v3 08/10] evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509 Stefan Berger
2024-03-19 23:26 ` Mimi Zohar
2024-02-23 17:25 ` [PATCH v3 09/10] fs: Rename SB_I_EVM_UNSUPPORTED to SB_I_EVM_HMAC_UNSUPPORTED Stefan Berger
2024-03-19 22:53 ` Mimi Zohar
2024-02-23 17:25 ` [PATCH v3 10/10] evm: Rename is_unsupported_fs to is_unsupported_hmac_fs Stefan Berger
2024-03-19 22:53 ` Mimi Zohar
2024-04-09 21:29 ` [PATCH v3 00/10] evm: Support signatures on stacked filesystem Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240223172513.4049959-1-stefanb@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=amir73il@gmail.com \
--cc=brauner@kernel.org \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).