Merge tag 'integrity-v6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Pull integrity updates from Mimi Zohar:

 - Add a new IMA/EVM maintainer and reviewer

 - Disable EVM on overlayfs

   The EVM HMAC and the original file signatures contain filesystem
   specific metadata (e.g. i_ino, i_generation and s_uuid), preventing
   the security.evm xattr from directly being copied up to the overlay.
   Further before calculating and writing out the overlay file's EVM
   HMAC, EVM must first verify the existing backing file's
   'security.evm' value.

   For now until a solution is developed, disable EVM on overlayfs.

 - One bug fix and two cleanups

* tag 'integrity-v6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  overlay: disable EVM
  evm: add support to disable EVM on unsupported filesystems
  evm: don't copy up 'security.evm' xattr
  MAINTAINERS: Add Eric Snowberg as a reviewer to IMA
  MAINTAINERS: Add Roberto Sassu as co-maintainer to IMA and EVM
  KEYS: encrypted: Add check for strsep
  ima: Remove EXPERIMENTAL from Kconfig
  ima: Reword IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY

1 files changed, 1 insertions, 0 deletions

diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
index bcd4c314a7eb..7131e3f5b9f5 100644
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -1454,6 +1454,7 @@ int ovl_fill_super(struct super_block *sb, struct fs_context *fc)
 	 * lead to unexpected results.
 	 */
 	sb->s_iflags |= SB_I_NOUMASK;
+	sb->s_iflags |= SB_I_EVM_UNSUPPORTED;
 
 	err = -ENOMEM;
 	root_dentry = ovl_get_root(sb, ctx->upper.dentry, oe);