[PATCH] overlayfs: Trigger file re-evaluation by IMA / EVM after writes
Stefan Berger
stefanb at linux.ibm.com
Wed Apr 5 17:14:49 UTC 2023
Overlayfs fails to notify IMA / EVM about file content modifications
and therefore IMA-appraised files may execute even though their file
signature does not validate against the changed hash of the file
anymore. To resolve this issue, add a call to integrity_notify_change()
to the ovl_release() function to notify the integrity subsystem about
file changes. The set flag triggers the re-evaluation of the file by
IMA / EVM once the file is accessed again.
Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
---
fs/overlayfs/file.c | 4 ++++
include/linux/integrity.h | 6 ++++++
security/integrity/iint.c | 13 +++++++++++++
3 files changed, 23 insertions(+)
diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
index 6011f955436b..19b8f4bcc18c 100644
--- a/fs/overlayfs/file.c
+++ b/fs/overlayfs/file.c
@@ -13,6 +13,7 @@
#include <linux/security.h>
#include <linux/mm.h>
#include <linux/fs.h>
+#include <linux/integrity.h>
#include "overlayfs.h"
struct ovl_aio_req {
@@ -169,6 +170,9 @@ static int ovl_open(struct inode *inode, struct file *file)
static int ovl_release(struct inode *inode, struct file *file)
{
+ if (file->f_flags & O_ACCMODE)
+ integrity_notify_change(inode);
+
fput(file->private_data);
return 0;
diff --git a/include/linux/integrity.h b/include/linux/integrity.h
index 2ea0f2f65ab6..cefdeccc1619 100644
--- a/include/linux/integrity.h
+++ b/include/linux/integrity.h
@@ -23,6 +23,7 @@ enum integrity_status {
#ifdef CONFIG_INTEGRITY
extern struct integrity_iint_cache *integrity_inode_get(struct inode *inode);
extern void integrity_inode_free(struct inode *inode);
+extern void integrity_notify_change(struct inode *inode);
extern void __init integrity_load_keys(void);
#else
@@ -37,6 +38,11 @@ static inline void integrity_inode_free(struct inode *inode)
return;
}
+static inline void integrity_notify_change(struct inode *inode)
+{
+ return;
+}
+
static inline void integrity_load_keys(void)
{
}
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 8638976f7990..70d2d716f3ae 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -85,6 +85,19 @@ static void iint_free(struct integrity_iint_cache *iint)
kmem_cache_free(iint_cache, iint);
}
+void integrity_notify_change(struct inode *inode)
+{
+ struct integrity_iint_cache *iint;
+
+ if (!IS_IMA(inode))
+ return;
+
+ iint = integrity_iint_find(inode);
+ if (iint)
+ set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
+}
+EXPORT_SYMBOL_GPL(integrity_notify_change);
+
/**
* integrity_inode_get - find or allocate an iint associated with an inode
* @inode: pointer to the inode
--
2.34.1
More information about the Linux-security-module-archive
mailing list