Received: by 2002:a05:7412:8598:b0:f9:33c2:5753 with SMTP id n24csp564338rdh; Tue, 19 Dec 2023 07:11:26 -0800 (PST) X-Google-Smtp-Source: AGHT+IHRWH5pdqgNOPHjWRWAkmf92OagctFhRuDD1CTwyTRKeDDo1M2sm4AHYEYGo9t3WUzx79mW X-Received: by 2002:a17:907:9445:b0:a1d:32c0:fc37 with SMTP id dl5-20020a170907944500b00a1d32c0fc37mr8810161ejc.53.1702998686729; Tue, 19 Dec 2023 07:11:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702998686; cv=none; d=google.com; s=arc-20160816; b=cKK4Nwf0vvKkP1aFiTfO+CN0pKlkr4sDCrF4HHJIsgP1q0BaQp5Lqg8+4/BFmHIRqo kFCiJ+TH76TGHCWwODnV3wrUVbq8zGUOyuL2xxYbWxUgSraOsNazQw0C7I9PI3gwGHm1 UWH4vqHIfFqxz5jUgGeDkkeTd9zcUDDKvp2UffPyRE6WErULWp73PGORSySuGa+BuuGK q+yGylRqpffRQtBaxKMLaQ8RiEY1VGXK/BXBarQPuTJuIBxo4ZJ/CIQzO3m4Y6emVuaI k2VwSL1N3PEay+k8ZeFPAR83VJEwRGbjsu54xidp3o1dVV8eKq5kenMwBNb/Skou3Prv Wf9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=zlUxM8agQFht/Im8QSE/t73OtBt36Jo3dQYhethqDtk=; fh=fioFFrOr8k8BMdWogXP6MmFikFx0yiYO3esCoLCnqTk=; b=yVODai4UMAovIg6bCZ9vNbnNjzTSMm+MqK4dpBrhDn1mS1zUNjj6tAE4q2Z8TKn/mp t6jVRDTJ9xtZJ8dXAu/a4QE7h4/xjaX4P0C4NCGnntkoXp0IVtCrKYMS3t2PN+O6J+t7 cTVfgh/BQQlbObNIRLv1ST+38UFyOBDcg3t+98uhgErbidqUG5nU0T0EKx9GOJzZLQLS AQOAeR9hOoeJLQio8thttFCSUMYeOBqOq2Af/r0BIsNhVPr29APJeWidLj66LgOS8wVk eda85WsvB3jh8xAxC970T9OG3Ni3JH7AoGUQazECpXyq6XoZs0Okr7tLql2O86jJEUKQ EjGQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="CKM/Xn7g"; spf=pass (google.com: domain of linux-kernel+bounces-5411-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-5411-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id lr22-20020a170906fb9600b00a267f8295b7si341870ejb.693.2023.12.19.07.11.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Dec 2023 07:11:26 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-5411-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="CKM/Xn7g"; spf=pass (google.com: domain of linux-kernel+bounces-5411-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-5411-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 285401F2D649 for ; Tue, 19 Dec 2023 14:47:36 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 8F8991C289; Tue, 19 Dec 2023 14:47:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CKM/Xn7g" X-Original-To: linux-kernel@vger.kernel.org Received: from mail-qv1-f41.google.com (mail-qv1-f41.google.com [209.85.219.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 84F681BDCB; Tue, 19 Dec 2023 14:47:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-qv1-f41.google.com with SMTP id 6a1803df08f44-67f47b15fa3so14125876d6.1; Tue, 19 Dec 2023 06:47:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702997245; x=1703602045; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=zlUxM8agQFht/Im8QSE/t73OtBt36Jo3dQYhethqDtk=; b=CKM/Xn7gcHG/SDJ8ARD/WpPVJ0qFEeIkcP3wAbXLgCmR4F8XxfALFthpZiP3AwiEV8 iZjo1pkVQaKBTc++7EYONWwgoLjeMPrtX7SXBbwhXg7qpK2gYFcCPb2y2EtdkafJzh+4 E6HVxxvI4AA+gWAJ99e1Vqlicmj+fuJlHVOObHsTtQUYyQZqYYYQWwGbEeTe9lTuHjoY 8kLzD2QvrE2cWWeXLnTP5BL56VKtZW/XHXiODo5HOYBSKihqOXX3eA9LB3dff8LXmpXF Y5UT3aQhlti8rAOR0/rHGRpU/fPY1kbm6sThmV1TbqBDc+tlE7FnLR9+WB6r58MsGcSm WDVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702997245; x=1703602045; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zlUxM8agQFht/Im8QSE/t73OtBt36Jo3dQYhethqDtk=; b=VuWlI8uFaUpwXN/kA4421fcRjcq4n7knfQZja4hqXIBUjC73ytSOFp+8tnIR7HgLZa KTie8epiRYPznrjfRm1Y2PFtqlpA8xfLxNbeR33lJ1BhTdVm9Be+YaldDUG8QN/OWKjK HtrpJw5ILwiOcI/NVw+ij5IBSymQCsImtRhULiwFclugcAo0vTAYRy2o4xUdDjOkUr0A m81QRdFPGYvmekBeY1mTcf7gMk83RIcdO4dAKfTWR+hg5QHQTYZiiohDTlj3H5A3dnqJ hnrGUkAR42IYDj7IazNhtA7G9xJ27VBZuSe8x/rAfa80fAIAAzvzlLI/KQcPisQ2mwuC eIdg== X-Gm-Message-State: AOJu0YyuzOAlYSN4bKTVLLcGmORuFOWAd5VPX5PkBFnXlpNpFWHGK1s7 Hv4UpCkzWYmFEnu0rDFki34zl/3BbUG+tjlIu0A= X-Received: by 2002:a05:6214:416:b0:67f:5152:705b with SMTP id z22-20020a056214041600b0067f5152705bmr2957837qvx.46.1702997245321; Tue, 19 Dec 2023 06:47:25 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20231219134901.96300-1-zohar@linux.ibm.com> <20231219134901.96300-3-zohar@linux.ibm.com> In-Reply-To: <20231219134901.96300-3-zohar@linux.ibm.com> From: Amir Goldstein Date: Tue, 19 Dec 2023 16:47:14 +0200 Message-ID: Subject: Re: [PATCH 2/2] evm: add support to disable EVM on unsupported filesystems To: Mimi Zohar Cc: linux-unionfs@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, Christian Brauner , Seth Forshee , Roberto Sassu Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Dec 19, 2023 at 3:49=E2=80=AFPM Mimi Zohar wr= ote: > > Don't verify, write, remove or update 'security.evm' on unsupported > filesystems. > > Temporarily define overlayfs as an unsupported filesystem until > a complete solution is developed. > > Signed-off-by: Mimi Zohar > --- > security/integrity/evm/evm_main.c | 35 ++++++++++++++++++++++++++++++- > 1 file changed, 34 insertions(+), 1 deletion(-) > > diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/e= vm_main.c > index 02adba635b02..aa6d32a07d20 100644 > --- a/security/integrity/evm/evm_main.c > +++ b/security/integrity/evm/evm_main.c > @@ -151,6 +151,17 @@ static int evm_find_protected_xattrs(struct dentry *= dentry) > return count; > } > > +static int is_unsupported_fs(struct dentry *dentry) > +{ > + struct inode *inode =3D d_backing_inode(dentry); > + > + if (strcmp(inode->i_sb->s_type->name, "overlay") =3D=3D 0) { > + pr_info_once("overlayfs not supported\n"); > + return 1; > + } Please do not special case overlayfs in and please do not use the fs name to detect support. Please define an sb flag like SB_I_IMA_UNVERIFIABLE_SIGNATURE to disable EVM and set this flag in ovl_fill_super(). Thanks, Amir.