Re: EVM: Permission denied with overlayfs

[Mimi Zohar <zohar@linux.ibm.com>]

Hi Ignaz,

On Tue, 2018-12-18 at 20:49 +0100, Ignaz Forster wrote:
> Hi,
> 
> as a follow up to my attempts to use overlayfs on an IMA protected 
> system[1] I've now tried to also enable EVM. From what I understand this 
> should - at least in theory - be possible: EVM will call 
> d_backing_inode(dentry), which I thought would get the inode of the 
> underlying file system[2], and use that for HMAC verification.
> 
> In practice simply trying to access an existing file will fail with 
> "Permission denied" already. In the corresponding audit log I can see 
> the file access (failed with "invalid-HMAC"), but with an inode number 
> unknown to me - stat returns a completely different number for the file 
> in the lower and target dir.
> 
> For testing purposes I added a new hashing algorithm to 
> evm_ima_xattr_type which will not add the file system specific 
> attributes (inode number, generation, file system uuid) to the hash - 
> just like EVM_XATTR_PORTABLE_DIGSIG, but with the hashes generated by 
> the kernel. Files created with this signature can be read correctly, 
> though writing the files will still fail.
> 
> Unfortunately I'm out of ideas what is happening here. If anybody wants 
> to have a look at this: Any help would be appreciated.
> 
> Kind Regards,
> Ignaz
> 
> [1] https://www.spinics.net/lists/linux-integrity/msg03593.html
> [2] https://www.kernel.org/doc/htmldocs/filesystems/API-d-backing-inode.html
> 

After creating a file on the overlay, I wasn't able to access it from
the overlay, but was able to access it from "upper".  Both "stat" and
"getfattr -m ^security" returned exactly the same things for both
pathnames.  However, the ino in the audit log was different.

After modifying evm_calc_hmac_or_hash(), replacing d_backing_inode()
with d_real_inode(), the hmac properly calculated for both the overlay
and the upper pathnames.

Something must have changed in d_backing_inode().

Mimi