[PATCH 4/5] evm: Use the real inode's metadata to calculate metadata hash

Stefan Berger stefanb at linux.ibm.com
Fri Feb 2 14:59:17 UTC 2024



On 2/2/24 04:24, Amir Goldstein wrote:
> On Thu, Feb 1, 2024 at 10:35 PM Stefan Berger <stefanb at linux.ibm.com> wrote:

> 
>>
>> and your suggested change to this patch :
>>
>> -       struct inode *inode = d_real_inode(dentry);
>> +       struct inode *inode = d_inode(d_real(dentry, false));;
>>
> 
> In the new version I change the API to use an enum instead of bool, e.g.:
> 
>         struct inode *inode = d_inode(d_real(dentry, D_REAL_METADATA));

Thanks. I will use it.

> 
> This catches in build time and in run time, callers that were not converted
> to the new API.
> 
>> The test cases are now passing with and without metacopy enabled. Yay!
> 
> Too soon to be happy.
> I guess you are missing a test for the following case:
> 1. file was meta copied up (change is detected)
> 2. the lower file that contains the data is being changed (change is
> not detected)

Right. Though it seems there's something wrong with overlayfs as well 
after appending a byte to the file on the lower.

-rwxr-xr-x    1 0        0               25 Feb  2 14:55 
/ext4.mount/lower/test_rsa_portable2
-rwxr-xr-x    1 0        0               24 Feb  2 14:55 
/ext4.mount/overlay/test_rsa_portable2
bb16aa5350bcc8863da1a873c846fec9281842d9 
/ext4.mount/lower/test_rsa_portable2
bb16aa5350bcc8863da1a873c846fec9281842d9 
/ext4.mount/overlay/test_rsa_portable2

We have a hash collision on a file with 24 bytes and the underlying one 
with 25 byte. (-;  :-)

   Stefan



More information about the Linux-security-module-archive mailing list