From: GUO Zihua guozihua@huawei.com
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I9T6ZD CVE: NA
--------------------------------
IMA detect the backing inode changes through i_version of the backing inode would introduce a performance degrade, so introduce a config to allow users to turn the i_version detection on and off.
Signed-off-by: GUO Zihua guozihua@huawei.com Signed-off-by: Xiang Yang xiangyang3@huawei.com --- security/integrity/ima/Kconfig | 8 ++++++++ security/integrity/ima/ima_main.c | 6 ++++++ 2 files changed, 14 insertions(+)
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 213dc7079f84..9e254c5cb117 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -368,3 +368,11 @@ config IMA_PARSER_BINARY_PATH default "/usr/bin/upload_digest_lists" help This option defines the path of the parser binary. + +config IMA_FIX_OVERLAYFS_DETECTION + bool + default y + help + This option enables the fix for overlayfs backing inode change + detection. With this config enabled, IMA would be detecting + backing inode changes through i_version of the backing inode. diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 389d6e957357..0a202a4f07c1 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -267,7 +267,11 @@ static int process_measurement(struct file *file, const struct cred *cred, u32 secid, char *buf, loff_t size, int mask, enum ima_hooks func) { +#ifdef IMA_FIX_OVERLAYFS_DETECTION struct inode *backing_inode, *inode = file_inode(file); +#else + struct inode *inode = file_inode(file); +#endif struct integrity_iint_cache *iint = NULL; struct ima_template_desc *template_desc = NULL; char *pathbuf = NULL; @@ -344,6 +348,7 @@ static int process_measurement(struct file *file, const struct cred *cred, iint->measured_pcrs = 0; }
+#ifdef IMA_FIX_OVERLAYFS_DETECTION /* Detect and re-evaluate changes made to the backing file. */ backing_inode = d_real_inode(file_dentry(file)); if (backing_inode != inode && @@ -356,6 +361,7 @@ static int process_measurement(struct file *file, const struct cred *cred, iint->measured_pcrs = 0; } } +#endif
/* Determine if already appraised/measured based on bitmask * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,