[PATCH] overlayfs: Trigger file re-evaluation by IMA / EVM after writes

Stefan Berger <stefanb@xxxxxxxxxxxxx> · Wed, 5 Apr 2023 13:14:49 -0400

Overlayfs fails to notify IMA / EVM about file content modifications
and therefore IMA-appraised files may execute even though their file
signature does not validate against the changed hash of the file
anymore. To resolve this issue, add a call to integrity_notify_change()
to the ovl_release() function to notify the integrity subsystem about
file changes. The set flag triggers the re-evaluation of the file by
IMA / EVM once the file is accessed again.

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
---
 fs/overlayfs/file.c       |  4 ++++
 include/linux/integrity.h |  6 ++++++
 security/integrity/iint.c | 13 +++++++++++++
 3 files changed, 23 insertions(+)

diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
index 6011f955436b..19b8f4bcc18c 100644
--- a/fs/overlayfs/file.c
+++ b/fs/overlayfs/file.c
@@ -13,6 +13,7 @@
 #include <linux/security.h>
 #include <linux/mm.h>
 #include <linux/fs.h>
+#include <linux/integrity.h>
 #include "overlayfs.h"
 
 struct ovl_aio_req {
@@ -169,6 +170,9 @@ static int ovl_open(struct inode *inode, struct file *file)
 
 static int ovl_release(struct inode *inode, struct file *file)
 {
+	if (file->f_flags & O_ACCMODE)
+		integrity_notify_change(inode);
+
 	fput(file->private_data);
 
 	return 0;
diff --git a/include/linux/integrity.h b/include/linux/integrity.h
index 2ea0f2f65ab6..cefdeccc1619 100644
--- a/include/linux/integrity.h
+++ b/include/linux/integrity.h
@@ -23,6 +23,7 @@ enum integrity_status {
 #ifdef CONFIG_INTEGRITY
 extern struct integrity_iint_cache *integrity_inode_get(struct inode *inode);
 extern void integrity_inode_free(struct inode *inode);
+extern void integrity_notify_change(struct inode *inode);
 extern void __init integrity_load_keys(void);
 
 #else
@@ -37,6 +38,11 @@ static inline void integrity_inode_free(struct inode *inode)
 	return;
 }
 
+static inline void integrity_notify_change(struct inode *inode)
+{
+	return;
+}
+
 static inline void integrity_load_keys(void)
 {
 }
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 8638976f7990..70d2d716f3ae 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -85,6 +85,19 @@ static void iint_free(struct integrity_iint_cache *iint)
 	kmem_cache_free(iint_cache, iint);
 }
 
+void integrity_notify_change(struct inode *inode)
+{
+	struct integrity_iint_cache *iint;
+
+	if (!IS_IMA(inode))
+		return;
+
+	iint = integrity_iint_find(inode);
+	if (iint)
+		set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
+}
+EXPORT_SYMBOL_GPL(integrity_notify_change);
+
 /**
  * integrity_inode_get - find or allocate an iint associated with an inode
  * @inode: pointer to the inode
-- 
2.34.1







