system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-07-21 10:41:44 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
linux/security/integrity
History
Stefan Berger 47add87ad1 evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509 
Unsupported filesystems currently do not enforce any signatures. Add
support for signature enforcement of the "original" and "portable &
immutable" signatures when EVM_INIT_X509 is enabled.

The "original" signature type contains filesystem specific metadata.
Thus it cannot be copied up and verified. However with EVM_INIT_X509
and EVM_ALLOW_METADATA_WRITES enabled, the "original" file signature
may be written.

When EVM_ALLOW_METADATA_WRITES is not set or once it is removed from
/sys/kernel/security/evm by setting EVM_INIT_HMAC for example, it is not
possible to write or remove xattrs on the overlay filesystem.

This change still prevents EVM from writing HMAC signatures on
unsupported filesystem when EVM_INIT_HMAC is enabled.

Co-developed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2024-04-09 17:14:57 -04:00
..
evm evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509 2024-04-09 17:14:57 -04:00
ima ima: re-evaluate file integrity on file metadata change 2024-04-09 17:14:57 -04:00
platform_certs
digsig.c
digsig_asymmetric.c
iint.c
integrity.h integrity: Avoid -Wflex-array-member-not-at-end warnings 2024-04-08 07:55:48 -04:00
integrity_audit.c
Kconfig
Makefile