[PATCH v3 04/10] evm: Use the metadata inode to calculate metadata hash
Mimi Zohar
zohar at linux.ibm.com
Tue Mar 19 22:51:42 UTC 2024
On Fri, 2024-02-23 at 12:25 -0500, Stefan Berger wrote:
> Changes to file attributes (mode bits, uid, gid) on the lower layer are
> not taken into account when d_backing_inode() is used when a file is
> accessed on the overlay layer and this file has not yet been copied up.
> This is because d_backing_inode() does not return the real inode of the
> lower layer but instead returns the backing inode which in this case
> holds wrong file attributes. Further, when CONFIG_OVERLAY_FS_METACOPY is
> enabled and a copy-up is triggered due to file metadata changes, then
> the metadata are held by the backing inode while the data are still held
> by the real inode. Therefore, use d_inode(d_real(dentry, D_REAL_METADATA))
> to get to the file's metadata inode and use it to calculate the metadata
> hash with.
>
> Co-developed-by: Mimi Zohar <zohar at linux.ibm.com>
> Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
> Acked-by: Amir Goldstein <amir73il at gmail.com>
Signed-off-by: Mimi Zohar <zohar at linux.ibm.com>
More information about the Linux-security-module-archive
mailing list