GUO Zihua (1): IMA: Introduce a config to bypass i_version detection for Overlayfs issue
Xiang Yang (1): config: Enable CONFIG_IMA_OVERLAYFS_DETECTION_BYPASS in openeuler defconfigs
arch/arm64/configs/openeuler_defconfig | 1 + arch/x86/configs/openeuler_defconfig | 1 + security/integrity/ima/Kconfig | 8 ++++++++ security/integrity/ima/ima_main.c | 6 ++++++ 4 files changed, 16 insertions(+)
From: GUO Zihua guozihua@huawei.com
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I9V12H CVE: NA
--------------------------------
IMA detect the backing inode changes through i_version of the backing inode would introduce a performance degrade, so introduce a config to allow users to bypass the i_version detection or not.
Signed-off-by: GUO Zihua guozihua@huawei.com Signed-off-by: Xiang Yang xiangyang3@huawei.com --- security/integrity/ima/Kconfig | 8 ++++++++ security/integrity/ima/ima_main.c | 6 ++++++ 2 files changed, 14 insertions(+)
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 46cb469e06ab..9d920d3ff4f0 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -368,4 +368,12 @@ config IMA_PARSER_BINARY_PATH help This option defines the path of the parser binary.
+config IMA_OVERLAYFS_DETECTION_BYPASS + bool "Bypass overlayfs backing inode change detection" + default n + help + This option enables user to bypass the overlayfs backing inode + change detection, while the detection may causes performance + regression. With this config enabled, IMA will not detect inode + change through i_version of the backing inode. If unsure, say N. endif diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index d29dc604e1d3..9b251ecfa7c2 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -282,7 +282,11 @@ static int process_measurement(struct file *file, const struct cred *cred, u32 secid, char *buf, loff_t size, int mask, enum ima_hooks func) { +#ifndef CONFIG_IMA_OVERLAYFS_DETECTION_BYPASS struct inode *backing_inode, *inode = file_inode(file); +#else + struct inode *inode = file_inode(file); +#endif struct integrity_iint_cache *iint = NULL; struct ima_template_desc *template_desc = NULL; char *pathbuf = NULL; @@ -362,6 +366,7 @@ static int process_measurement(struct file *file, const struct cred *cred, iint->measured_pcrs = 0; }
+#ifndef CONFIG_IMA_OVERLAYFS_DETECTION_BYPASS /* Detect and re-evaluate changes made to the backing file. */ backing_inode = d_real_inode(file_dentry(file)); if (backing_inode != inode && @@ -374,6 +379,7 @@ static int process_measurement(struct file *file, const struct cred *cred, iint->measured_pcrs = 0; } } +#endif
/* Determine if already appraised/measured based on bitmask * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I9V12H
--------------------------------
Enable CONFIG_IMA_OVERLAYFS_DETECTION_BYPASS in openeuler_defconfigs, as it should be on EulerOS's configs.
Signed-off-by: Xiang Yang xiangyang3@huawei.com --- arch/arm64/configs/openeuler_defconfig | 1 + arch/x86/configs/openeuler_defconfig | 1 + 2 files changed, 2 insertions(+)
diff --git a/arch/arm64/configs/openeuler_defconfig b/arch/arm64/configs/openeuler_defconfig index 4a368f3a5964..fc528818dfff 100644 --- a/arch/arm64/configs/openeuler_defconfig +++ b/arch/arm64/configs/openeuler_defconfig @@ -7364,6 +7364,7 @@ CONFIG_IMA_STANDARD_DIGEST_DB_SIZE=y # CONFIG_IMA_CUSTOM_DIGEST_DB_SIZE is not set CONFIG_IMA_DIGEST_DB_MEGABYTES=16 CONFIG_IMA_PARSER_BINARY_PATH="/usr/bin/upload_digest_lists" +CONFIG_IMA_OVERLAYFS_DETECTION_BYPASS=y CONFIG_EVM=y # CONFIG_EVM_DEFAULT_HASH_SHA1 is not set CONFIG_EVM_DEFAULT_HASH_SHA256=y diff --git a/arch/x86/configs/openeuler_defconfig b/arch/x86/configs/openeuler_defconfig index 38c191ea24be..2ade7462402d 100644 --- a/arch/x86/configs/openeuler_defconfig +++ b/arch/x86/configs/openeuler_defconfig @@ -8518,6 +8518,7 @@ CONFIG_IMA_STANDARD_DIGEST_DB_SIZE=y CONFIG_IMA_DIGEST_DB_MEGABYTES=16 CONFIG_IMA_PARSER_BINARY_PATH="/usr/bin/upload_digest_lists" CONFIG_EVM=y +CONFIG_IMA_OVERLAYFS_DETECTION_BYPASS=y # CONFIG_EVM_DEFAULT_HASH_SHA1 is not set CONFIG_EVM_DEFAULT_HASH_SHA256=y # CONFIG_EVM_DEFAULT_HASH_SHA512 is not set
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/8624 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/R...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/8624 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/R...