From: Stefan Berger <stefanb@linux.ibm.com>
To: linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-unionfs@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, paul@paul-moore.com,
jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com,
roberto.sassu@huawei.com, amir73il@gmail.com, brauner@kernel.org,
miklos@szeredi.hu, Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH v3 07/10] ima: re-evaluate file integrity on file metadata change
Date: Fri, 23 Feb 2024 12:25:10 -0500 [thread overview]
Message-ID: <20240223172513.4049959-8-stefanb@linux.ibm.com> (raw)
In-Reply-To: <20240223172513.4049959-1-stefanb@linux.ibm.com>
Force a file's integrity to be re-evaluated on file metadata change by
resetting both the IMA and EVM status flags.
Co-developed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
security/integrity/ima/ima_main.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index c15378dd9456..36c92d6c01f6 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -26,6 +26,7 @@
#include <linux/ima.h>
#include <linux/fs.h>
#include <linux/iversion.h>
+#include <linux/evm.h>
#include "ima.h"
@@ -211,6 +212,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
struct inode *real_inode, *inode = file_inode(file);
struct ima_iint_cache *iint = NULL;
struct ima_template_desc *template_desc = NULL;
+ struct inode *metadata_inode;
char *pathbuf = NULL;
char filename[NAME_MAX];
const char *pathname = NULL;
@@ -286,7 +288,8 @@ static int process_measurement(struct file *file, const struct cred *cred,
}
/*
- * On stacked filesystems, detect and re-evaluate file data changes.
+ * On stacked filesystems, detect and re-evaluate file data and
+ * metadata changes.
*/
real_inode = d_real_inode(file_dentry(file));
if (real_inode != inode &&
@@ -297,6 +300,15 @@ static int process_measurement(struct file *file, const struct cred *cred,
iint->flags &= ~IMA_DONE_MASK;
iint->measured_pcrs = 0;
}
+
+ /*
+ * Reset the EVM status when metadata changed.
+ */
+ metadata_inode = d_inode(d_real(file_dentry(file),
+ D_REAL_METADATA));
+ if (evm_metadata_changed(inode, metadata_inode))
+ iint->flags &= ~(IMA_APPRAISED |
+ IMA_APPRAISED_SUBMASK);
}
/* Determine if already appraised/measured based on bitmask
--
2.43.0
next prev parent reply other threads:[~2024-02-23 17:25 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-23 17:25 [PATCH v3 00/10] evm: Support signatures on stacked filesystem Stefan Berger
2024-02-23 17:25 ` [PATCH v3 01/10] ima: Rename backing_inode to real_inode Stefan Berger
2024-03-19 22:50 ` Mimi Zohar
2024-02-23 17:25 ` [PATCH v3 02/10] security: allow finer granularity in permitting copy-up of security xattrs Stefan Berger
2024-03-19 22:51 ` Mimi Zohar
2024-02-23 17:25 ` [PATCH v3 03/10] evm: Implement per signature type decision in security_inode_copy_up_xattr Stefan Berger
2024-03-19 22:51 ` Mimi Zohar
2024-02-23 17:25 ` [PATCH v3 04/10] evm: Use the metadata inode to calculate metadata hash Stefan Berger
2024-03-19 22:51 ` Mimi Zohar
2024-02-23 17:25 ` [PATCH v3 05/10] ima: Move file-change detection variables into new structure Stefan Berger
2024-02-23 17:25 ` [PATCH v3 06/10] evm: Store and detect metadata inode attributes changes Stefan Berger
2024-02-23 17:25 ` Stefan Berger [this message]
2024-03-19 22:53 ` [PATCH v3 07/10] ima: re-evaluate file integrity on file metadata change Mimi Zohar
2024-02-23 17:25 ` [PATCH v3 08/10] evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509 Stefan Berger
2024-03-19 23:26 ` Mimi Zohar
2024-02-23 17:25 ` [PATCH v3 09/10] fs: Rename SB_I_EVM_UNSUPPORTED to SB_I_EVM_HMAC_UNSUPPORTED Stefan Berger
2024-03-19 22:53 ` Mimi Zohar
2024-02-23 17:25 ` [PATCH v3 10/10] evm: Rename is_unsupported_fs to is_unsupported_hmac_fs Stefan Berger
2024-03-19 22:53 ` Mimi Zohar
2024-04-09 21:29 ` [PATCH v3 00/10] evm: Support signatures on stacked filesystem Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240223172513.4049959-8-stefanb@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=amir73il@gmail.com \
--cc=brauner@kernel.org \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).