Commit a670a0ed authored by GUO Zihua's avatar GUO Zihua Committed by Xiang Yang
Browse files

IMA: Introduce a config for fix on IMA with Overlayfs issue 

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I9T6ZD


CVE: NA

--------------------------------

IMA detect the backing inode changes through i_version of the backing inode
would introduce a performance degrade, so introduce a config to allow
users to turn the i_version detection on and off.

Signed-off-by: default avatarGUO Zihua <guozihua@huawei.com>
Signed-off-by: default avatarXiang Yang <xiangyang3@huawei.com>
parent 43993247

security/integrity/ima/Kconfig

+8 −0
Original line number Diff line number Diff line
@@ -368,3 +368,11 @@ config IMA_PARSER_BINARY_PATH 
	default "/usr/bin/upload_digest_lists"

	help

	   This option defines the path of the parser binary.



config IMA_FIX_OVERLAYFS_DETECTION

	bool

	default y

	help

	   This option enables the fix for overlayfs backing inode change

	   detection. With this config enabled, IMA would be detecting

	   backing inode changes through i_version of the backing inode.

security/integrity/ima/ima_main.c

+6 −0
Original line number Diff line number Diff line
@@ -267,7 +267,11 @@ static int process_measurement(struct file *file, const struct cred *cred, 
			       u32 secid, char *buf, loff_t size, int mask,

			       enum ima_hooks func)

{

#ifdef IMA_FIX_OVERLAYFS_DETECTION

	struct inode *backing_inode, *inode = file_inode(file);

#else

	struct inode *inode = file_inode(file);

#endif

	struct integrity_iint_cache *iint = NULL;

	struct ima_template_desc *template_desc = NULL;

	char *pathbuf = NULL;
@@ -344,6 +348,7 @@ static int process_measurement(struct file *file, const struct cred *cred, 
		iint->measured_pcrs = 0;

	}



#ifdef IMA_FIX_OVERLAYFS_DETECTION

	/* Detect and re-evaluate changes made to the backing file. */

	backing_inode = d_real_inode(file_dentry(file));

	if (backing_inode != inode &&
@@ -356,6 +361,7 @@ static int process_measurement(struct file *file, const struct cred *cred, 
			iint->measured_pcrs = 0;

		}

	}

#endif



	/* Determine if already appraised/measured based on bitmask

	 * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,