Commit d82aacb9 authored by GUO Zihua's avatar GUO Zihua Committed by Xiang Yang
Browse files

IMA: Introduce a config to bypass i_version detection for Overlayfs issue 

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I9V12H


CVE: NA

--------------------------------

IMA detect the backing inode changes through i_version of the backing inode
would introduce a performance degrade, so introduce a config to allow
users to bypass the i_version detection or not.

Signed-off-by: default avatarGUO Zihua <guozihua@huawei.com>
Signed-off-by: default avatarXiang Yang <xiangyang3@huawei.com>
parent b1acaf02

arch/arm64/configs/openeuler_defconfig

+1 −0
Original line number Diff line number Diff line
@@ -7364,6 +7364,7 @@ CONFIG_IMA_STANDARD_DIGEST_DB_SIZE=y 
# CONFIG_IMA_CUSTOM_DIGEST_DB_SIZE is not set

CONFIG_IMA_DIGEST_DB_MEGABYTES=16

CONFIG_IMA_PARSER_BINARY_PATH="/usr/bin/upload_digest_lists"

# CONFIG_IMA_OVERLAYFS_DETECTION_BYPASS is not set

CONFIG_EVM=y

# CONFIG_EVM_DEFAULT_HASH_SHA1 is not set

CONFIG_EVM_DEFAULT_HASH_SHA256=y

arch/x86/configs/openeuler_defconfig

+1 −0
Original line number Diff line number Diff line
@@ -8517,6 +8517,7 @@ CONFIG_IMA_STANDARD_DIGEST_DB_SIZE=y 
# CONFIG_IMA_CUSTOM_DIGEST_DB_SIZE is not set

CONFIG_IMA_DIGEST_DB_MEGABYTES=16

CONFIG_IMA_PARSER_BINARY_PATH="/usr/bin/upload_digest_lists"

# CONFIG_IMA_OVERLAYFS_DETECTION_BYPASS is not set

CONFIG_EVM=y

# CONFIG_EVM_DEFAULT_HASH_SHA1 is not set

CONFIG_EVM_DEFAULT_HASH_SHA256=y

security/integrity/ima/Kconfig

+8 −0
Original line number Diff line number Diff line
@@ -368,4 +368,12 @@ config IMA_PARSER_BINARY_PATH 
	help

	   This option defines the path of the parser binary.



config IMA_OVERLAYFS_DETECTION_BYPASS

	bool "Bypass overlayfs backing inode change detection"

	default n

	help

	   This option enables user to bypass the overlayfs backing inode

	   change detection, while the detection may causes performance

	   regression. With this config enabled, IMA will not detect inode

	   change through i_version of the backing inode.  If unsure, say N.

endif

security/integrity/ima/ima_main.c

+6 −0
Original line number Diff line number Diff line
@@ -282,7 +282,11 @@ static int process_measurement(struct file *file, const struct cred *cred, 
			       u32 secid, char *buf, loff_t size, int mask,

			       enum ima_hooks func)

{

#ifndef CONFIG_IMA_OVERLAYFS_DETECTION_BYPASS

	struct inode *backing_inode, *inode = file_inode(file);

#else

	struct inode *inode = file_inode(file);

#endif

	struct integrity_iint_cache *iint = NULL;

	struct ima_template_desc *template_desc = NULL;

	char *pathbuf = NULL;
@@ -362,6 +366,7 @@ static int process_measurement(struct file *file, const struct cred *cred, 
		iint->measured_pcrs = 0;

	}



#ifndef CONFIG_IMA_OVERLAYFS_DETECTION_BYPASS

	/* Detect and re-evaluate changes made to the backing file. */

	backing_inode = d_real_inode(file_dentry(file));

	if (backing_inode != inode &&
@@ -374,6 +379,7 @@ static int process_measurement(struct file *file, const struct cred *cred, 
			iint->measured_pcrs = 0;

		}

	}

#endif



	/* Determine if already appraised/measured based on bitmask

	 * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,