Commit db1d1e8b9867 ("IMA: use vfs_getattr_nosec to get the i_version")
replaced detecting file change based on i_version with
STATX_CHANGE_COOKIE.On filesystems without STATX_CHANGE_COOKIE enabled, revert back to detecting file change based on i_version. On filesystems which do not support either, assume the file changed. Reported-by: Roberto Sassu <[email protected]> Fixes: db1d1e8b9867 ("IMA: use vfs_getattr_nosec to get the i_version") Signed-off-by: Mimi Zohar <[email protected]> --- Changelog v2: - Use the real_inode's iversion to detect file change on overlayfs - Add Roberto's Reported-by tag security/integrity/ima/ima_api.c | 13 +++++++---- security/integrity/ima/ima_main.c | 39 ++++++++++++++++++++++++------- 2 files changed, 40 insertions(+), 12 deletions(-) diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index c35ea613c9f8..28cf1fe07f8f 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -267,15 +267,20 @@ int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file, goto out; /* - * Detecting file change is based on i_version. On filesystems - * which do not support i_version, support was originally limited - * to an initial measurement/appraisal/audit, but was modified to - * assume the file changed. + * Detect file change based on STATX_CHANGE_COOKIE, when supported, + * and fallback to detecting file change based on i_version. + * + * On filesystems which did not support i_version, support was + * originally limited to an initial measurement/appraisal/audit, + * but was later modified to assume the file changed. */ result = vfs_getattr_nosec(&file->f_path, &stat, STATX_CHANGE_COOKIE, AT_STATX_SYNC_AS_STAT); if (!result && (stat.result_mask & STATX_CHANGE_COOKIE)) i_version = stat.change_cookie; + else if (IS_I_VERSION(real_inode)) + i_version = inode_peek_iversion(real_inode); + hash.hdr.algo = algo; hash.hdr.length = hash_digest_size[algo]; diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 1d6229b156fb..4fc383479847 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -180,6 +180,34 @@ static void ima_rdwr_violation_check(struct file *file, "invalid_pcr", "open_writers"); } +/* + * Detect file change based on STATX_CHANGE_COOKIE, when supported, and + * fallback to detecting file change based on i_version. On filesystems + * which do not support either, assume the file changed. + */ +static bool ima_detect_file_change(struct ima_iint_cache *iint, + struct inode *inode, struct file *file) +{ + struct kstat stat; + int result; + + result = vfs_getattr_nosec(&file->f_path, &stat, STATX_CHANGE_COOKIE, + AT_STATX_SYNC_AS_STAT); + + if (!result && stat.result_mask & STATX_CHANGE_COOKIE && + stat.change_cookie != iint->real_inode.version) + return true; + else if (!(stat.result_mask & STATX_CHANGE_COOKIE) && + IS_I_VERSION(inode) && + !(inode_eq_iversion(inode, iint->real_inode.version))) + return true; + else if (!(stat.result_mask & STATX_CHANGE_COOKIE) && + !(IS_I_VERSION(inode))) + return true; + + return false; +} + static void ima_check_last_writer(struct ima_iint_cache *iint, struct inode *inode, struct file *file) { @@ -191,18 +219,13 @@ static void ima_check_last_writer(struct ima_iint_cache *iint, mutex_lock(&iint->mutex); if (atomic_read(&inode->i_writecount) == 1) { - struct kstat stat; - clear_bit(IMA_EMITTED_OPENWRITERS, &iint->atomic_flags); update = test_and_clear_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); - if ((iint->flags & IMA_NEW_FILE) || - vfs_getattr_nosec(&file->f_path, &stat, - STATX_CHANGE_COOKIE, - AT_STATX_SYNC_AS_STAT) || - !(stat.result_mask & STATX_CHANGE_COOKIE) || - stat.change_cookie != iint->real_inode.version) { + + if (iint->flags & IMA_NEW_FILE || + ima_detect_file_change(iint, inode, file)) { iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE); iint->measured_pcrs = 0; if (update) -- 2.53.0
