[PATCH OLK-6.6] IMA: Introduce a config to bypass i_version detection for Overlayfs issue - Kernel

4 Jun 2024

From: GUO Zihua guozihua@huawei.com
hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I9V12H
CVE: NA
--------------------------------
IMA detect the backing inode changes through i_version of the backing inode
would introduce a performance degrade, so introduce a config to allow
users to bypass the i_version detection or not.
Signed-off-by: GUO Zihua guozihua@huawei.com
Signed-off-by: Xiang Yang xiangyang3@huawei.com
---
 security/integrity/ima/Kconfig    | 8 ++++++++
 security/integrity/ima/ima_main.c | 6 ++++++
 2 files changed, 14 insertions(+)

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 46cb469e06ab..9d920d3ff4f0 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -368,4 +368,12 @@ config IMA_PARSER_BINARY_PATH
    help
       This option defines the path of the parser binary.
+config IMA_OVERLAYFS_DETECTION_BYPASS
+	bool "Bypass overlayfs backing inode change detection"
+	default n
+	help
+	   This option enables user to bypass the overlayfs backing inode
+	   change detection, while the detection may causes performance
+	   regression. With this config enabled, IMA will not detect inode
+	   change through i_version of the backing inode.  If unsure, say N.
 endif
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index d29dc604e1d3..9b251ecfa7c2 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -282,7 +282,11 @@ static int process_measurement(struct file *file, const struct cred *cred,
    		       u32 secid, char *buf, loff_t size, int mask,
    		       enum ima_hooks func)
 {
+#ifndef CONFIG_IMA_OVERLAYFS_DETECTION_BYPASS
    struct inode *backing_inode, *inode = file_inode(file);
+#else
+	struct inode *inode = file_inode(file);
+#endif
    struct integrity_iint_cache *iint = NULL;
    struct ima_template_desc *template_desc = NULL;
    char *pathbuf = NULL;
@@ -362,6 +366,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
    	iint->measured_pcrs = 0;
    }
+#ifndef CONFIG_IMA_OVERLAYFS_DETECTION_BYPASS
    /* Detect and re-evaluate changes made to the backing file. */
    backing_inode = d_real_inode(file_dentry(file));
    if (backing_inode != inode &&
@@ -374,6 +379,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
    		iint->measured_pcrs = 0;
    	}
    }
+#endif
/* Determine if already appraised/measured based on bitmask
     * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
-- 
2.34.1


    