evm: add support to disable EVM on unsupported filesystems

Identify EVM unsupported filesystems by defining a new flag SB_I_EVM_UNSUPPORTED. Don't verify, write, remove or update 'security.evm' on unsupported filesystems. Acked-by: Amir Goldstein <amir73il@gmail.com> Reviewed-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
author: Mimi Zohar <zohar@linux.ibm.com> 2023-12-18 08:06:40 -0500
committer: Mimi Zohar <zohar@linux.ibm.com> 2023-12-20 07:40:07 -0500
commit: cd708c938f055c9eb5a366ec1c8edcefa28afc28 (patch)
tree: 39089292c344413f5243377e57f993057a0f52e9 /include/linux/fs.h
parent: 40ca4ee3136d2d09977d1cab8c0c0e1582c3359d (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 98b7a7a8c42e..1474f36e9b38 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1164,6 +1164,7 @@ extern int send_sigurg(struct fown_struct *fown);
 #define SB_I_USERNS_VISIBLE		0x00000010 /* fstype already mounted */
 #define SB_I_IMA_UNVERIFIABLE_SIGNATURE	0x00000020
 #define SB_I_UNTRUSTED_MOUNTER		0x00000040
+#define SB_I_EVM_UNSUPPORTED		0x00000080
 
 #define SB_I_SKIP_SYNC	0x00000100	/* Skip superblock at global sync */
 #define SB_I_PERSB_BDI	0x00000200	/* has a per-sb bdi */
author	Mimi Zohar <zohar@linux.ibm.com>	2023-12-18 08:06:40 -0500
committer	Mimi Zohar <zohar@linux.ibm.com>	2023-12-20 07:40:07 -0500
commit	cd708c938f055c9eb5a366ec1c8edcefa28afc28 (patch)
tree	39089292c344413f5243377e57f993057a0f52e9 /include/linux/fs.h
parent	40ca4ee3136d2d09977d1cab8c0c0e1582c3359d (diff)