| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240223172513.4049959-5-stefanb@linux.ibm.com>
Date: Fri, 23 Feb 2024 12:25:07 -0500
From: Stefan Berger <stefanb@...ux.ibm.com>
To: linux-integrity@...r.kernel.org, linux-security-module@...r.kernel.org,
linux-unionfs@...r.kernel.org
Cc: linux-kernel@...r.kernel.org, paul@...l-moore.com, jmorris@...ei.org,
serge@...lyn.com, zohar@...ux.ibm.com, roberto.sassu@...wei.com,
amir73il@...il.com, brauner@...nel.org, miklos@...redi.hu,
Stefan Berger <stefanb@...ux.ibm.com>
Subject: [PATCH v3 04/10] evm: Use the metadata inode to calculate metadata hash
Changes to file attributes (mode bits, uid, gid) on the lower layer are
not taken into account when d_backing_inode() is used when a file is
accessed on the overlay layer and this file has not yet been copied up.
This is because d_backing_inode() does not return the real inode of the
lower layer but instead returns the backing inode which in this case
holds wrong file attributes. Further, when CONFIG_OVERLAY_FS_METACOPY is
enabled and a copy-up is triggered due to file metadata changes, then
the metadata are held by the backing inode while the data are still held
by the real inode. Therefore, use d_inode(d_real(dentry, D_REAL_METADATA))
to get to the file's metadata inode and use it to calculate the metadata
hash with.
Co-developed-by: Mimi Zohar <zohar@...ux.ibm.com>
Signed-off-by: Stefan Berger <stefanb@...ux.ibm.com>
Acked-by: Amir Goldstein <amir73il@...il.com>
---
security/integrity/evm/evm_crypto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index 7552d49d0725..35416f55391c 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -223,7 +223,7 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry,
size_t req_xattr_value_len,
uint8_t type, struct evm_digest *data)
{
- struct inode *inode = d_backing_inode(dentry);
+ struct inode *inode = d_inode(d_real(dentry, D_REAL_METADATA));
struct xattr_list *xattr;
struct shash_desc *desc;
size_t xattr_size = 0;
--
2.43.0
Powered by blists - more mailing lists