diff options
| author | Mimi Zohar <zohar@linux.ibm.com> | 2023-10-18 14:47:02 -0400 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.ibm.com> | 2023-10-31 08:22:36 -0400 |
| commit | b836c4d29f2744200b2af41e14bf50758dddc818 (patch) | |
| tree | 4ec0534db76707ad1e7d5a0ffe3a1bcd5b140901 /security/integrity/integrity.h | |
| parent | certs: Only allow certs signed by keys on the builtin keyring (diff) | |
| download | linux-b836c4d29f2744200b2af41e14bf50758dddc818.tar.gz linux-b836c4d29f2744200b2af41e14bf50758dddc818.zip | |
ima: detect changes to the backing overlay file
Commit 18b44bc5a672 ("ovl: Always reevaluate the file signature for
IMA") forced signature re-evaulation on every file access.
Instead of always re-evaluating the file's integrity, detect a change
to the backing file, by comparing the cached file metadata with the
backing file's metadata. Verifying just the i_version has not changed
is insufficient. In addition save and compare the i_ino and s_dev
as well.
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Tested-by: Eric Snowberg <eric.snowberg@oracle.com>
Tested-by: Raul E Rangel <rrangel@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security/integrity/integrity.h')
| -rw-r--r-- | security/integrity/integrity.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index d7553c93f5c0..9561db7cf6b4 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -164,6 +164,8 @@ struct integrity_iint_cache { unsigned long flags; unsigned long measured_pcrs; unsigned long atomic_flags; + unsigned long real_ino; + dev_t real_dev; enum integrity_status ima_file_status:4; enum integrity_status ima_mmap_status:4; enum integrity_status ima_bprm_status:4; |