[PATCH 4/5] evm: Use the real inode's metadata to calculate metadata hash
Stefan Berger
stefanb at linux.ibm.com
Fri Feb 2 14:59:17 UTC 2024
On 2/2/24 04:24, Amir Goldstein wrote:
> On Thu, Feb 1, 2024 at 10:35 PM Stefan Berger <stefanb at linux.ibm.com> wrote:
>
>>
>> and your suggested change to this patch :
>>
>> - struct inode *inode = d_real_inode(dentry);
>> + struct inode *inode = d_inode(d_real(dentry, false));;
>>
>
> In the new version I change the API to use an enum instead of bool, e.g.:
>
> struct inode *inode = d_inode(d_real(dentry, D_REAL_METADATA));
Thanks. I will use it.
>
> This catches in build time and in run time, callers that were not converted
> to the new API.
>
>> The test cases are now passing with and without metacopy enabled. Yay!
>
> Too soon to be happy.
> I guess you are missing a test for the following case:
> 1. file was meta copied up (change is detected)
> 2. the lower file that contains the data is being changed (change is
> not detected)
Right. Though it seems there's something wrong with overlayfs as well
after appending a byte to the file on the lower.
-rwxr-xr-x 1 0 0 25 Feb 2 14:55
/ext4.mount/lower/test_rsa_portable2
-rwxr-xr-x 1 0 0 24 Feb 2 14:55
/ext4.mount/overlay/test_rsa_portable2
bb16aa5350bcc8863da1a873c846fec9281842d9
/ext4.mount/lower/test_rsa_portable2
bb16aa5350bcc8863da1a873c846fec9281842d9
/ext4.mount/overlay/test_rsa_portable2
We have a hash collision on a file with 24 bytes and the underlying one
with 25 byte. (-; :-)
Stefan
More information about the Linux-security-module-archive
mailing list