From: Christian Brauner <brauner@kernel.org>
To: Stefan Berger <stefanb@linux.ibm.com>
Cc: zohar@linux.ibm.com, linux-integrity@vger.kernel.org,
miklos@szeredi.hu, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-unionfs@vger.kernel.org,
amir73il@gmail.com
Subject: Re: [PATCH] overlayfs: Trigger file re-evaluation by IMA / EVM after writes
Date: Thu, 6 Apr 2023 12:26:13 +0200 [thread overview]
Message-ID: <20230406-diffamieren-langhaarig-87511897e77d@brauner> (raw)
In-Reply-To: <20230405171449.4064321-1-stefanb@linux.ibm.com>
On Wed, Apr 05, 2023 at 01:14:49PM -0400, Stefan Berger wrote:
> Overlayfs fails to notify IMA / EVM about file content modifications
> and therefore IMA-appraised files may execute even though their file
> signature does not validate against the changed hash of the file
> anymore. To resolve this issue, add a call to integrity_notify_change()
> to the ovl_release() function to notify the integrity subsystem about
> file changes. The set flag triggers the re-evaluation of the file by
> IMA / EVM once the file is accessed again.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
> fs/overlayfs/file.c | 4 ++++
> include/linux/integrity.h | 6 ++++++
> security/integrity/iint.c | 13 +++++++++++++
> 3 files changed, 23 insertions(+)
>
> diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
> index 6011f955436b..19b8f4bcc18c 100644
> --- a/fs/overlayfs/file.c
> +++ b/fs/overlayfs/file.c
> @@ -13,6 +13,7 @@
> #include <linux/security.h>
> #include <linux/mm.h>
> #include <linux/fs.h>
> +#include <linux/integrity.h>
> #include "overlayfs.h"
>
> struct ovl_aio_req {
> @@ -169,6 +170,9 @@ static int ovl_open(struct inode *inode, struct file *file)
>
> static int ovl_release(struct inode *inode, struct file *file)
> {
> + if (file->f_flags & O_ACCMODE)
> + integrity_notify_change(inode);
> +
> fput(file->private_data);
>
> return 0;
> diff --git a/include/linux/integrity.h b/include/linux/integrity.h
> index 2ea0f2f65ab6..cefdeccc1619 100644
> --- a/include/linux/integrity.h
> +++ b/include/linux/integrity.h
> @@ -23,6 +23,7 @@ enum integrity_status {
> #ifdef CONFIG_INTEGRITY
> extern struct integrity_iint_cache *integrity_inode_get(struct inode *inode);
> extern void integrity_inode_free(struct inode *inode);
> +extern void integrity_notify_change(struct inode *inode);
I thought we concluded that ima is going to move into the security hook
infrastructure so it seems this should be a proper LSM hook?
next prev parent reply other threads:[~2023-04-06 10:26 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-05 17:14 [PATCH] overlayfs: Trigger file re-evaluation by IMA / EVM after writes Stefan Berger
2023-04-06 10:26 ` Christian Brauner [this message]
2023-04-06 14:05 ` Paul Moore
2023-04-06 14:20 ` Stefan Berger
2023-04-06 14:36 ` Paul Moore
2023-04-06 15:01 ` Christian Brauner
2023-04-06 18:46 ` Jeff Layton
2023-04-06 19:11 ` Stefan Berger
2023-04-06 19:37 ` Jeff Layton
2023-04-06 20:22 ` Stefan Berger
2023-04-06 21:24 ` Jeff Layton
2023-04-06 21:58 ` Stefan Berger
2023-04-06 22:09 ` Jeff Layton
2023-04-06 22:04 ` Jeff Layton
2023-04-06 22:27 ` Stefan Berger
2023-04-07 8:31 ` Christian Brauner
2023-04-07 13:29 ` Jeff Layton
2023-04-09 15:22 ` Christian Brauner
2023-04-09 22:12 ` Jeff Layton
2023-04-11 8:38 ` Christian Brauner
2023-04-11 9:32 ` Jeff Layton
2023-04-11 9:49 ` Christian Brauner
2023-04-11 10:13 ` Jeff Layton
2023-04-11 14:08 ` Christian Brauner
2023-04-21 14:55 ` Mimi Zohar
2023-04-17 1:57 ` Stefan Berger
2023-04-17 8:11 ` Christian Brauner
2023-04-17 10:05 ` Jeff Layton
2023-04-17 12:45 ` Stefan Berger
2023-04-17 13:18 ` Jeff Layton
2023-04-21 14:43 ` Mimi Zohar
2023-05-18 20:46 ` Paul Moore
2023-05-18 20:50 ` Mimi Zohar
2023-05-19 14:58 ` Paul Moore
2023-05-25 14:43 ` Mimi Zohar
2023-05-19 19:42 ` Mimi Zohar
2023-05-20 9:15 ` Amir Goldstein
2023-05-22 12:18 ` Mimi Zohar
2023-05-22 14:00 ` Amir Goldstein
2023-05-23 19:38 ` Mimi Zohar
2023-05-20 9:17 ` Christian Brauner
2023-05-21 22:49 ` Dave Chinner
2023-05-23 17:35 ` Mimi Zohar
2023-04-17 14:07 ` Stefan Berger
2023-04-07 6:42 ` Amir Goldstein
2023-04-06 16:10 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230406-diffamieren-langhaarig-87511897e77d@brauner \
--to=brauner@kernel.org \
--cc=amir73il@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=stefanb@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).