From: Mimi Zohar <zohar@linux.ibm.com>
To: Frederick Lawler <fred@cloudflare.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Eric Snowberg <eric.snowberg@oracle.com>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Darrick J. Wong" <djwong@kernel.org>,
Christian Brauner <brauner@kernel.org>,
Josef Bacik <josef@toxicpanda.com>,
Jeff Layton <jlayton@kernel.org>
Cc: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
kernel-team@cloudflare.com
Subject: Re: [PATCH RFC] ima: Fallback to a ctime guard without i_version updates
Date: Mon, 05 Jan 2026 17:15:15 -0500 [thread overview]
Message-ID: <4a4778ff395e533cad86ff3ffbf0ba90c3eb8798.camel@linux.ibm.com> (raw)
In-Reply-To: <20251229-xfs-ima-fixup-v1-1-6a717c939f7c@cloudflare.com>
On Mon, 2025-12-29 at 11:52 -0600, Frederick Lawler wrote:
> Since commit 1cf7e834a6fb ("xfs: switch to multigrain timestamps"), IMA
> is no longer able to correctly track inode.i_version due to the struct
> kstat.change_cookie no longer containing an updated i_version.
>
> Introduce a fallback mechanism for IMA that instead tracks a
> integrity_ctime_guard() in absence of or outdated i_version
> for stacked file systems.
Thanks, Frederick.
Instead of using the new function name integrity_ctime_guard() to describe the
change, please describe the change in words. Perhaps something like: rely on
the inode's ctime to detect a file data or metadata change.
The purpose of generating a ctime guard value, as opposed to using the tv_sec
and tv_nsec, I assume is to minimize the amount of memory being saved in the
iint.
>
> EVM is left alone since it mostly cares about the backing inode.
>
> Link: https://lore.kernel.org/all/aTspr4_h9IU4EyrR@CMGLRV3
> Fixes: 1cf7e834a6fb ("xfs: switch to multigrain timestamps")
> Suggested-by: Jeff Layton <jlayton@kernel.org>
> Signed-off-by: Frederick Lawler <fred@cloudflare.com>
> ---
> The motivation behind this was that file systems that use the
> cookie to set the i_version for stacked file systems may still do so.
> Then add in the ctime_guard as a fallback if there's a detected change.
> The assumption is that the ctime will be different if the i_version is
> different anyway for non-stacked file systems.
Agreed. This patch inverts the i_version test to return immediately if the
i_version hasn't changed and then checks the ctime guard value. Is the ctime
guard value test simply a performance improvement?
>
> I'm not too pleased with passing in struct file* to
> integrity_inode_attrs_changed() since EVM doesn't currently use
> that for now, but I couldn't come up with another idea to get the
> stat without coming up with a new stat function to accommodate just
> the file path, fully separate out IMA/EVM checks, or lastly add stacked
> file system support to EVM (which doesn't make much sense to me
> at the moment).
>
> I plan on adding in self test infrastructure for the v1, but I would
> like to get some early feedback on the approach first.
I really appreciate your adding a self test.
thanks,
Mimi
next prev parent reply other threads:[~2026-01-05 22:15 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-29 17:52 [PATCH RFC] ima: Fallback to a ctime guard without i_version updates Frederick Lawler
2026-01-05 22:15 ` Mimi Zohar [this message]
2026-01-05 23:09 ` Frederick Lawler
2026-01-06 0:45 ` Mimi Zohar
2026-01-06 12:01 ` Jeff Layton
2026-01-06 16:43 ` Frederick Lawler
2026-01-06 19:33 ` Frederick Lawler
2026-01-06 19:50 ` Jeff Layton
2026-01-07 19:56 ` Frederick Lawler
2026-01-07 21:10 ` Jeff Layton
2026-01-12 14:02 ` Mimi Zohar
2026-01-12 17:14 ` Frederick Lawler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4a4778ff395e533cad86ff3ffbf0ba90c3eb8798.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=brauner@kernel.org \
--cc=djwong@kernel.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=fred@cloudflare.com \
--cc=jlayton@kernel.org \
--cc=jmorris@namei.org \
--cc=josef@toxicpanda.com \
--cc=kernel-team@cloudflare.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox