hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICDKL2 -------------------------------- overlayfs has two types of inode, the overlayfs inode generated by overlayfs and the real inode of the file. When IMA does the measurement, process_measurement() will try to detect file content changes for files on a overlayfs filesystem based on the i_version number of the real inode. But now comparing with value of overlayfs inode, results in always re-evaluating the file's integrity. Therefore, ima_collect_measurement() should update iint->iversion with real_inode iversion. Also, ima_check_last_writer() should compare i_version base on real_inode. This patch is based on the implementation of upstream patch (see below Link tag). Due to merging the pre-patch to resolve conflicts introduces KABI changes, we don't fix this with the mainline version. Link: https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commi... Fixes: b836c4d29f27 ("ima: detect changes to the backing overlay file") Signed-off-by: Gu Bowen <gubowen5@huawei.com> --- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_main.c | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index d88d7fb9f9a5..69bb71331e3f 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -278,7 +278,7 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, * which do not support i_version, support is limited to an initial * measurement/appraisal/audit. */ - i_version = inode_query_iversion(inode); + i_version = inode_query_iversion(real_inode); hash.hdr.algo = algo; /* Initialize hash digest to 0's in case of failure */ diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index c211a2c5f297..efa20bd18b97 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -222,16 +222,19 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint, { fmode_t mode = file->f_mode; bool update; + struct inode *real_inode; if (!(mode & FMODE_WRITE)) return; mutex_lock(&iint->mutex); if (atomic_read(&inode->i_writecount) == 1) { + real_inode = d_real_inode(file_dentry(file)); + update = test_and_clear_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); - if (!IS_I_VERSION(inode) || - !inode_eq_iversion(inode, iint->version) || + if (!IS_I_VERSION(real_inode) || + !inode_eq_iversion(real_inode, iint->version) || (iint->flags & IMA_NEW_FILE)) { iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE); iint->measured_pcrs = 0; -- 2.25.1