Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-01-16 02:14:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
linux-stable/security
History
Stefan Berger c1a964bb90 evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509 
[ Upstream commit 47add87ad181473e5ef2438918669540ba5016a6 ]

Unsupported filesystems currently do not enforce any signatures. Add
support for signature enforcement of the "original" and "portable &
immutable" signatures when EVM_INIT_X509 is enabled.

The "original" signature type contains filesystem specific metadata.
Thus it cannot be copied up and verified. However with EVM_INIT_X509
and EVM_ALLOW_METADATA_WRITES enabled, the "original" file signature
may be written.

When EVM_ALLOW_METADATA_WRITES is not set or once it is removed from
/sys/kernel/security/evm by setting EVM_INIT_HMAC for example, it is not
possible to write or remove xattrs on the overlay filesystem.

This change still prevents EVM from writing HMAC signatures on
unsupported filesystem when EVM_INIT_HMAC is enabled.

Co-developed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-07-05 09:38:00 +02:00
..
apparmor
ima: Avoid blocking in RCU read-side critical section
2024-06-27 13:52:30 +02:00
bpf
lsm: mark the lsm_id variables are marked as static
2023-11-12 22:54:42 -05:00
integrity
evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509
2024-07-05 09:38:00 +02:00
keys
KEYS: trusted: Do not use WARN when encode fails
2024-05-25 16:30:55 +02:00
landlock
landlock: Fix d_parent walk
2024-06-21 14:40:12 +02:00
loadpin
lsm: mark the lsm_id variables are marked as static
2023-11-12 22:54:42 -05:00
lockdown
LSM: Identify modules by more than name
2023-11-12 22:54:42 -05:00
safesetid
lsm: mark the lsm_id variables are marked as static
2023-11-12 22:54:42 -05:00
selinux
ima: Avoid blocking in RCU read-side critical section
2024-06-27 13:52:30 +02:00
smack
ima: Avoid blocking in RCU read-side critical section
2024-06-27 13:52:30 +02:00
tomoyo
tomoyo: fix UAF write bug in tomoyo_write_control()
2024-03-01 11:14:00 -08:00
yama
lsm: mark the lsm_id variables are marked as static
2023-11-12 22:54:42 -05:00
commoncap.c
lsm: mark the lsm_id variables are marked as static
2023-11-12 22:54:42 -05:00
device_cgroup.c
device_cgroup: Fix kernel-doc warnings in device_cgroup
2023-06-21 09:30:49 -04:00
inode.c
security: convert to new timestamp accessors
2023-10-18 14:08:31 +02:00
Kconfig
fortify: drop Clang version check for 12.0.1 or newer
2024-02-22 15:38:54 -08:00
Kconfig.hardening
hardening: Move BUG_ON_DATA_CORRUPTION to hardening options
2023-08-15 14:57:25 -07:00
lsm_audit.c
lsm: fix a number of misspellings
2023-05-25 17:52:15 -04:00
lsm_syscalls.c
lsm: use 32-bit compatible data types in LSM syscalls
2024-03-14 11:31:26 -04:00
Makefile
LSM: syscalls for current process attributes
2023-11-12 22:54:42 -05:00
min_addr.c
sysctl: pass kernel pointers to ->proc_handler
2020-04-27 02:07:40 -04:00
security.c
ima: Avoid blocking in RCU read-side critical section
2024-06-27 13:52:30 +02:00