EVM verifies the existing 'security.evm' value, before allowing it
to be updated. The EVM HMAC and the original file signatures contain
filesystem specific metadata (e.g. i_ino, i_generation and s_uuid).
This poses a challenge when transitioning from the lower backing file
to the upper backing file.
Until a complete solution is developed, disable EVM on overlayfs.
Changelog v2:
Addressed Amir's comments:
- Simplified security_inode_copy_up_xattr() return.
- Identified filesystems that don't support EVM based on a new SB_I flag.
Mimi Zohar (3):
evm: don't copy up 'security.evm' xattr
evm: add support to disable EVM on unsupported filesystems
overlay: disable EVM
fs/overlayfs/super.c | 1 +
include/linux/evm.h | 6 +++++
include/linux/fs.h | 1 +
security/integrity/evm/evm_main.c | 42 ++++++++++++++++++++++++++++++-
security/security.c | 2 +-
5 files changed, 50 insertions(+), 2 deletions(-)
--
2.39.3
Until a complete solution is developed, update 'sb->s_iflags' to
disable EVM.
Signed-off-by: Mimi Zohar <[email protected]>
---
fs/overlayfs/super.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
index a0967bb25003..e3d9c6c80a47 100644
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -1454,6 +1454,7 @@ int ovl_fill_super(struct super_block *sb, struct fs_context *fc)
* lead to unexpected results.
*/
sb->s_iflags |= SB_I_NOUMASK;
+ sb->s_iflags |= SB_I_EVM_UNSUPPORTED;
err = -ENOMEM;
root_dentry = ovl_get_root(sb, ctx->upper.dentry, oe);
--
2.39.3
On Tue, Dec 19, 2023 at 7:52 PM Mimi Zohar <[email protected]> wrote:
>
> Until a complete solution is developed, update 'sb->s_iflags' to
> disable EVM.
>
> Signed-off-by: Mimi Zohar <[email protected]>
Acked-by: Amir Goldstein <[email protected]>
> ---
> fs/overlayfs/super.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
> index a0967bb25003..e3d9c6c80a47 100644
> --- a/fs/overlayfs/super.c
> +++ b/fs/overlayfs/super.c
> @@ -1454,6 +1454,7 @@ int ovl_fill_super(struct super_block *sb, struct fs_context *fc)
> * lead to unexpected results.
> */
> sb->s_iflags |= SB_I_NOUMASK;
> + sb->s_iflags |= SB_I_EVM_UNSUPPORTED;
>
> err = -ENOMEM;
> root_dentry = ovl_get_root(sb, ctx->upper.dentry, oe);
> --
> 2.39.3
>
On Tue, Dec 19, 2023 at 12:52:03PM -0500, Mimi Zohar wrote:
> EVM verifies the existing 'security.evm' value, before allowing it
> to be updated. The EVM HMAC and the original file signatures contain
> filesystem specific metadata (e.g. i_ino, i_generation and s_uuid).
>
> This poses a challenge when transitioning from the lower backing file
> to the upper backing file.
>
> Until a complete solution is developed, disable EVM on overlayfs.
>
> Changelog v2:
> Addressed Amir's comments:
> - Simplified security_inode_copy_up_xattr() return.
> - Identified filesystems that don't support EVM based on a new SB_I flag.
We're wasting a flag for a single filesystem but we do have enough of
them left so I think this is ok,
Reviewed-by: Christian Brauner <[email protected]>
On Wed, 2023-12-20 at 13:35 +0100, Christian Brauner wrote:
> On Tue, Dec 19, 2023 at 12:52:03PM -0500, Mimi Zohar wrote:
> > EVM verifies the existing 'security.evm' value, before allowing it
> > to be updated. The EVM HMAC and the original file signatures contain
> > filesystem specific metadata (e.g. i_ino, i_generation and s_uuid).
> >
> > This poses a challenge when transitioning from the lower backing file
> > to the upper backing file.
> >
> > Until a complete solution is developed, disable EVM on overlayfs.
> >
> > Changelog v2:
> > Addressed Amir's comments:
> > - Simplified security_inode_copy_up_xattr() return.
> > - Identified filesystems that don't support EVM based on a new SB_I flag.
>
> We're wasting a flag for a single filesystem but we do have enough of
> them left so I think this is ok,
Thanks, Christian.
>
> Reviewed-by: Christian Brauner <[email protected]>