Unverified Commit 8bba4b17 authored Dec 30, 2024 by openeuler-ci-bot Committed by Gitee Dec 30, 2024

!14293 Fix the incorrect definition and use of IMA_FIX_OVERLAYFS_DETECTION

Merge Pull Request from: @ci-robot 
 
PR sync from: Xiang Yang <xiangyang3@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/5FPHGQI75RSIPP3H2UMQYR3L272KVVQO/ 
Xiang Yang (2):
  IMA: Fix the incorrect definition and use ofIMA_FIX_OVERLAYFS_DETECTION
  config: Enable IMA_FIX_OVERLAYFS_DETECTION in openeuler defconfigs


-- 
2.34.1
 
https://gitee.com/openeuler/kernel/issues/IBCIAZ 
 
Link:https://gitee.com/openeuler/kernel/pulls/14293

 

Reviewed-by: Liu Chao <liuchao173@huawei.com>
Reviewed-by: Li Nan <linan122@huawei.com>
Signed-off-by: Li Nan <linan122@huawei.com>
Acked-by: Xie XiuQi <xiexiuqi@huawei.com>

parents 013aa462 f2418a97

arch/arm64/configs/openeuler_defconfig

+1 −0

Original line number	Diff line number	Diff line
		@@ -6744,6 +6744,7 @@ CONFIG_IMA_STANDARD_DIGEST_DB_SIZE=y
		# CONFIG_IMA_CUSTOM_DIGEST_DB_SIZE is not set
		CONFIG_IMA_DIGEST_DB_MEGABYTES=16
		CONFIG_IMA_PARSER_BINARY_PATH="/usr/bin/upload_digest_lists"
		CONFIG_IMA_FIX_OVERLAYFS_DETECTION=y
		CONFIG_EVM=y
		# CONFIG_EVM_DEFAULT_HASH_SHA1 is not set
		CONFIG_EVM_DEFAULT_HASH_SHA256=y

arch/x86/configs/openeuler_defconfig

+1 −0

Original line number	Diff line number	Diff line
		@@ -7795,6 +7795,7 @@ CONFIG_IMA_STANDARD_DIGEST_DB_SIZE=y
		# CONFIG_IMA_CUSTOM_DIGEST_DB_SIZE is not set
		CONFIG_IMA_DIGEST_DB_MEGABYTES=16
		CONFIG_IMA_PARSER_BINARY_PATH="/usr/bin/upload_digest_lists"
		CONFIG_IMA_FIX_OVERLAYFS_DETECTION=y
		CONFIG_EVM=y
		# CONFIG_EVM_DEFAULT_HASH_SHA1 is not set
		CONFIG_EVM_DEFAULT_HASH_SHA256=y

security/integrity/ima/Kconfig

+1 −1

Original line number	Diff line number	Diff line
		@@ -370,7 +370,7 @@ config IMA_PARSER_BINARY_PATH
		This option defines the path of the parser binary.

		config IMA_FIX_OVERLAYFS_DETECTION
		bool
		bool "Fix for overlayfs backing inode change detection"
		default y
		help
		This option enables the fix for overlayfs backing inode change

security/integrity/ima/ima_main.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -267,7 +267,7 @@ static int process_measurement(struct file file, const struct cred cred,
		u32 secid, char *buf, loff_t size, int mask,
		enum ima_hooks func)
		{
		#ifdef IMA_FIX_OVERLAYFS_DETECTION
		#ifdef CONFIG_IMA_FIX_OVERLAYFS_DETECTION
		struct inode backing_inode, inode = file_inode(file);
		#else
		struct inode *inode = file_inode(file);
		@@ -348,7 +348,7 @@ static int process_measurement(struct file file, const struct cred cred,
		iint->measured_pcrs = 0;
		}

		#ifdef IMA_FIX_OVERLAYFS_DETECTION
		#ifdef CONFIG_IMA_FIX_OVERLAYFS_DETECTION
		/* Detect and re-evaluate changes made to the backing file. */
		backing_inode = d_real_inode(file_dentry(file));
		if (backing_inode != inode &&