diff options
| author | Stefan Berger <stefanb@linux.ibm.com> | 2024-02-23 12:25:07 -0500 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.ibm.com> | 2024-04-09 17:14:57 -0400 |
| commit | faf994811e0548df854e5fd946f3094725fcd9b5 (patch) | |
| tree | 9c4c4d4924aa816038e46fee1d4a4e455cb87174 /security | |
| parent | f2b3fc42f6ce19524d8ecaf9f878456ed8c50914 (diff) | |
evm: Use the metadata inode to calculate metadata hash
Changes to file attributes (mode bits, uid, gid) on the lower layer are
not taken into account when d_backing_inode() is used when a file is
accessed on the overlay layer and this file has not yet been copied up.
This is because d_backing_inode() does not return the real inode of the
lower layer but instead returns the backing inode which in this case
holds wrong file attributes. Further, when CONFIG_OVERLAY_FS_METACOPY is
enabled and a copy-up is triggered due to file metadata changes, then
the metadata are held by the backing inode while the data are still held
by the real inode. Therefore, use d_inode(d_real(dentry, D_REAL_METADATA))
to get to the file's metadata inode and use it to calculate the metadata
hash with.
Co-developed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Acked-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/integrity/evm/evm_crypto.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c index 7552d49d0725..35416f55391c 100644 --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c @@ -223,7 +223,7 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, size_t req_xattr_value_len, uint8_t type, struct evm_digest *data) { - struct inode *inode = d_backing_inode(dentry); + struct inode *inode = d_inode(d_real(dentry, D_REAL_METADATA)); struct xattr_list *xattr; struct shash_desc *desc; size_t xattr_size = 0; |