From 319522e00dfd23c78cbe28ab26b87e08a8f46993 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Fri, 28 Apr 2023 08:23:15 -0400 Subject: linux: overlayfs: Add kernel patch resolving a file change notification issue Add a temporary patch that resolves a file change notification issue with overlayfs where IMA did not become aware of the file changes since the 'lower' inode's i_version had not changed. The issue will be resolved in later kernels with the following patch that builds on newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1: https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 Signed-off-by: Stefan Berger Signed-off-by: Armin Kuster --- ...-ovl-Increment-iversion-upon-file-changes.patch | 42 ++++++++++++++++++++++ meta-integrity/recipes-kernel/linux/linux_ima.inc | 1 + 2 files changed, 43 insertions(+) create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch new file mode 100644 index 0000000..d2b5c28 --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch @@ -0,0 +1,42 @@ +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Thu, 6 Apr 2023 11:27:29 -0400 +Subject: [PATCH] ovl: Increment iversion upon file changes + +This is a temporary patch for kernels that do not implement +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one: + +https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 + +Increment the lower inode's iversion for IMA to be able to recognize +changes to the file. + +Signed-off-by: Stefan Berger +--- + fs/overlayfs/file.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c +index 6011f955436b..1dfe5e7bfe1c 100644 +--- a/fs/overlayfs/file.c ++++ b/fs/overlayfs/file.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include "overlayfs.h" + + struct ovl_aio_req { +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter) + if (ret != -EIOCBQUEUED) + ovl_aio_cleanup_handler(aio_req); + } ++ if (ret > 0) ++ inode_maybe_inc_iversion(inode, false); + out: + revert_creds(old_cred); + out_fdput: +-- +2.34.1 + diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc index 0b6f530..9d48e5c 100644 --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:" SRC_URI += " \ ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \ + file://0001-ovl-Increment-iversion-upon-file-changes.patch \ " do_configure() { -- cgit v1.2.3-54-g00ecf