diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2024-01-10 00:24:06 +0300 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2024-01-10 00:24:06 +0300 |
| commit | 6c1dd1fe5d8a1d43ed96e2e0ed44a88c73c5c039 (patch) | |
| tree | 08cf4521df75e4b7699f1abeb695985ce6ee26d9 /security/integrity/ima | |
| parent | e9b4c5890858015bfe2089b7573319bcf4a92907 (diff) | |
| parent | c00f94b3a5be428837868c0f2cdaa3fa5b4b1995 (diff) | |
| download | linux-6c1dd1fe5d8a1d43ed96e2e0ed44a88c73c5c039.tar.xz | |
Merge tag 'integrity-v6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
Pull integrity updates from Mimi Zohar:
- Add a new IMA/EVM maintainer and reviewer
- Disable EVM on overlayfs
The EVM HMAC and the original file signatures contain filesystem
specific metadata (e.g. i_ino, i_generation and s_uuid), preventing
the security.evm xattr from directly being copied up to the overlay.
Further before calculating and writing out the overlay file's EVM
HMAC, EVM must first verify the existing backing file's
'security.evm' value.
For now until a solution is developed, disable EVM on overlayfs.
- One bug fix and two cleanups
* tag 'integrity-v6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
overlay: disable EVM
evm: add support to disable EVM on unsupported filesystems
evm: don't copy up 'security.evm' xattr
MAINTAINERS: Add Eric Snowberg as a reviewer to IMA
MAINTAINERS: Add Roberto Sassu as co-maintainer to IMA and EVM
KEYS: encrypted: Add check for strsep
ima: Remove EXPERIMENTAL from Kconfig
ima: Reword IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
Diffstat (limited to 'security/integrity/ima')
| -rw-r--r-- | security/integrity/ima/Kconfig | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index a6bd817efc1a..b98bfe9efd0c 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -243,7 +243,7 @@ config IMA_APPRAISE_MODSIG to accept such signatures. config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY - bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)" + bool "Permit keys validly signed by a built-in, machine (if configured) or secondary" depends on SYSTEM_TRUSTED_KEYRING depends on SECONDARY_TRUSTED_KEYRING depends on INTEGRITY_ASYMMETRIC_KEYS @@ -251,14 +251,14 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY default n help Keys may be added to the IMA or IMA blacklist keyrings, if the - key is validly signed by a CA cert in the system built-in or - secondary trusted keyrings. The key must also have the - digitalSignature usage set. + key is validly signed by a CA cert in the system built-in, + machine (if configured), or secondary trusted keyrings. The + key must also have the digitalSignature usage set. Intermediate keys between those the kernel has compiled in and the IMA keys to be added may be added to the system secondary keyring, provided they are validly signed by a key already resident in the - built-in or secondary trusted keyrings. + built-in, machine (if configured) or secondary trusted keyrings. config IMA_BLACKLIST_KEYRING bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)" |