[PATCH] IMA: use vfs_getattr_nosec to get the i_version

Christian Brauner brauner at kernel.org
Tue Apr 18 09:08:07 UTC 2023


On Mon, Apr 17, 2023 at 12:55:51PM -0400, Jeff Layton wrote:
> IMA currently accesses the i_version out of the inode directly when it
> does a measurement. This is fine for most simple filesystems, but can be
> problematic with more complex setups (e.g. overlayfs).
> 
> Make IMA instead call vfs_getattr_nosec to get this info. This allows
> the filesystem to determine whether and how to report the i_version, and
> should allow IMA to work properly with a broader class of filesystems in
> the future.
> 
> Reported-and-Tested-by: Stefan Berger <stefanb at linux.ibm.com>
> Signed-off-by: Jeff Layton <jlayton at kernel.org>
> ---

Excellent, thanks,
Reviewed-by: Christian Brauner <brauner at kernel.org>



More information about the Linux-security-module-archive mailing list