Re: [PATCH] overlayfs: Trigger file re-evaluation by IMA / EVM after writes

From: Stefan Berger
Date: Thu Apr 06 2023 - 18:00:25 EST




On 4/6/23 17:24, Jeff Layton wrote:
On Thu, 2023-04-06 at 16:22 -0400, Stefan Berger wrote:

On 4/6/23 15:37, Jeff Layton wrote:
On Thu, 2023-04-06 at 15:11 -0400, Stefan Berger wrote:

On 4/6/23 14:46, Jeff Layton wrote:
On Thu, 2023-04-06 at 17:01 +0200, Christian Brauner wrote:
On Thu, Apr 06, 2023 at 10:36:41AM -0400, Paul Moore wrote:


Correct. As long as IMA is also measuring the upper inode then it seems
like you shouldn't need to do anything special here.

Unfortunately IMA does not notice the changes. With the patch provided in the other email IMA works as expected.



It looks like remeasurement is usually done in ima_check_last_writer.
That gets called from __fput which is called when we're releasing the
last reference to the struct file.

You've hooked into the ->release op, which gets called whenever
filp_close is called, which happens when we're disassociating the file
from the file descriptor table.

So...I don't get it. Is ima_file_free not getting called on your file
for some reason when you go to close it? It seems like that should be
handling this.

I would ditch the original proposal in favor of this 2-line patch shown here:

https://lore.kernel.org/linux-integrity/a95f62ed-8b8a-38e5-e468-ecbde3b221af@xxxxxxxxxxxxx/T/#m3bd047c6e5c8200df1d273c0ad551c645dd43232



Ok, I think I get it. IMA is trying to use the i_version from the
overlayfs inode.

I suspect that the real problem here is that IMA is just doing a bare
inode_query_iversion. Really, we ought to make IMA call
vfs_getattr_nosec (or something like it) to query the getattr routine in
the upper layer. Then overlayfs could just propagate the results from
the upper layer in its response.

You mean compare known stat against current ? It seems more expensive to stat the file
rather than using the simple i_version-has-changed indicator.


That sort of design may also eventually help IMA work properly with more
exotic filesystems, like NFS or Ceph.

And these don't support i_version at all?

Stefan