mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-01-12 03:10:13 +00:00
Code Issues Projects Releases Wiki Activity

linux: overlayfs: Add kernel patch resolving a file change notification issue

Browse Source 
Add a temporary patch that resolves a file change notification issue
with overlayfs where IMA did not become aware of the file changes
since the 'lower' inode's i_version had not changed. The issue will be
resolved in later kernels with the following patch that builds on
newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1:

https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Stefan Berger
2023-04-28 08:23:15 -04:00
committed by Armin Kuster
parent b9abf0e09b
commit 319522e00d
2 changed files with 43 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch Normal file
View File

@@ -0,0 +1,42 @@
From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Thu, 6 Apr 2023 11:27:29 -0400
Subject: [PATCH] ovl: Increment iversion upon file changes
This is a temporary patch for kernels that do not implement
STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one:
https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
Increment the lower inode's iversion for IMA to be able to recognize
changes to the file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
fs/overlayfs/file.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
index 6011f955436b..1dfe5e7bfe1c 100644
--- a/fs/overlayfs/file.c
+++ b/fs/overlayfs/file.c
@@ -13,6 +13,7 @@
#include <linux/security.h>
#include <linux/mm.h>
#include <linux/fs.h>
+#include <linux/iversion.h>
#include "overlayfs.h"
struct ovl_aio_req {
@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter)
if (ret != -EIOCBQUEUED)
ovl_aio_cleanup_handler(aio_req);
}
+ if (ret > 0)
+ inode_maybe_inc_iversion(inode, false);
out:
revert_creds(old_cred);
out_fdput:
--
2.34.1

1
meta-integrity/recipes-kernel/linux/linux_ima.inc
View File

@@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:"
SRC_URI += " \
${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \
file://0001-ovl-Increment-iversion-upon-file-changes.patch \
"
do_configure() {