From: GUO Zihua <guozihua@huawei.com> hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I9T6ZD CVE: NA -------------------------------- IMA detect the backing inode changes through i_version of the backing inode would introduce a performance degrade, so introduce a config to allow users to turn the i_version detection on and off. Signed-off-by: GUO Zihua <guozihua@huawei.com> Signed-off-by: Xiang Yang <xiangyang3@huawei.com> --- security/integrity/ima/Kconfig | 8 ++++++++ security/integrity/ima/ima_main.c | 6 ++++++ 2 files changed, 14 insertions(+) diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 213dc7079f84..9e254c5cb117 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -368,3 +368,11 @@ config IMA_PARSER_BINARY_PATH default "/usr/bin/upload_digest_lists" help This option defines the path of the parser binary. + +config IMA_FIX_OVERLAYFS_DETECTION + bool + default y + help + This option enables the fix for overlayfs backing inode change + detection. With this config enabled, IMA would be detecting + backing inode changes through i_version of the backing inode. diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 389d6e957357..0a202a4f07c1 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -267,7 +267,11 @@ static int process_measurement(struct file *file, const struct cred *cred, u32 secid, char *buf, loff_t size, int mask, enum ima_hooks func) { +#ifdef IMA_FIX_OVERLAYFS_DETECTION struct inode *backing_inode, *inode = file_inode(file); +#else + struct inode *inode = file_inode(file); +#endif struct integrity_iint_cache *iint = NULL; struct ima_template_desc *template_desc = NULL; char *pathbuf = NULL; @@ -344,6 +348,7 @@ static int process_measurement(struct file *file, const struct cred *cred, iint->measured_pcrs = 0; } +#ifdef IMA_FIX_OVERLAYFS_DETECTION /* Detect and re-evaluate changes made to the backing file. */ backing_inode = d_real_inode(file_dentry(file)); if (backing_inode != inode && @@ -356,6 +361,7 @@ static int process_measurement(struct file *file, const struct cred *cred, iint->measured_pcrs = 0; } } +#endif /* Determine if already appraised/measured based on bitmask * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED, -- 2.34.1