diff options
| author | Stefan Berger <stefanb@linux.ibm.com> | 2023-05-10 10:51:22 -0400 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2023-05-13 06:06:29 -0400 |
| commit | 25dc18d6969c637bab14163aea0c95c80d3ed80c (patch) | |
| tree | 9c3ceb26281011fb470b9e0eacef7d851a94895b | |
| parent | 8a7112d37bfe0157289ed7e6baeb1d7e37707b29 (diff) | |
| download | meta-security-25dc18d6969c637bab14163aea0c95c80d3ed80c.tar.gz | |
linux: overlayfs: Drop kernel patch resolving a file change notification issue
Revert the patch resolving a file change notitfication issue (for IMA
appraisal) since this patch fails in 'many downstream kernels'.
- https://lists.yoctoproject.org/g/yocto/message/59928
- https://lists.yoctoproject.org/g/yocto/message/59929
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| -rw-r--r-- | meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch | 42 | ||||
| -rw-r--r-- | meta-integrity/recipes-kernel/linux/linux_ima.inc | 1 |
2 files changed, 0 insertions, 43 deletions
diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch deleted file mode 100644 index d2b5c28..0000000 --- a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch +++ /dev/null | |||
| @@ -1,42 +0,0 @@ | |||
| 1 | From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Stefan Berger <stefanb@linux.ibm.com> | ||
| 3 | Date: Thu, 6 Apr 2023 11:27:29 -0400 | ||
| 4 | Subject: [PATCH] ovl: Increment iversion upon file changes | ||
| 5 | |||
| 6 | This is a temporary patch for kernels that do not implement | ||
| 7 | STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one: | ||
| 8 | |||
| 9 | https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 | ||
| 10 | |||
| 11 | Increment the lower inode's iversion for IMA to be able to recognize | ||
| 12 | changes to the file. | ||
| 13 | |||
| 14 | Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> | ||
| 15 | --- | ||
| 16 | fs/overlayfs/file.c | 3 +++ | ||
| 17 | 1 file changed, 3 insertions(+) | ||
| 18 | |||
| 19 | diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c | ||
| 20 | index 6011f955436b..1dfe5e7bfe1c 100644 | ||
| 21 | --- a/fs/overlayfs/file.c | ||
| 22 | +++ b/fs/overlayfs/file.c | ||
| 23 | @@ -13,6 +13,7 @@ | ||
| 24 | #include <linux/security.h> | ||
| 25 | #include <linux/mm.h> | ||
| 26 | #include <linux/fs.h> | ||
| 27 | +#include <linux/iversion.h> | ||
| 28 | #include "overlayfs.h" | ||
| 29 | |||
| 30 | struct ovl_aio_req { | ||
| 31 | @@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter) | ||
| 32 | if (ret != -EIOCBQUEUED) | ||
| 33 | ovl_aio_cleanup_handler(aio_req); | ||
| 34 | } | ||
| 35 | + if (ret > 0) | ||
| 36 | + inode_maybe_inc_iversion(inode, false); | ||
| 37 | out: | ||
| 38 | revert_creds(old_cred); | ||
| 39 | out_fdput: | ||
| 40 | -- | ||
| 41 | 2.34.1 | ||
| 42 | |||
diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc index 9d48e5c..0b6f530 100644 --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc | |||
| @@ -2,7 +2,6 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:" | |||
| 2 | 2 | ||
| 3 | SRC_URI += " \ | 3 | SRC_URI += " \ |
| 4 | ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \ | 4 | ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \ |
| 5 | file://0001-ovl-Increment-iversion-upon-file-changes.patch \ | ||
| 6 | " | 5 | " |
| 7 | 6 | ||
| 8 | do_configure() { | 7 | do_configure() { |