Am 28.09.18 um 18:54 schrieb Mimi Zohar:
On Mon, 2018-09-10 at 11:17 +0200, Ignaz Forster wrote:
Am 07.09.18 um 20:45 schrieb Mimi Zohar:
A small example for reproduction (on a system with IMA appraisal):
# OVERLAYFS_TEST_DIR=`mktemp -d`
# mkdir "${OVERLAYFS_TEST_DIR}/upper"
# mkdir "${OVERLAYFS_TEST_DIR}/work"
# mount -t overlay -o lowerdir=/etc,upperdir="${OVERLAYFS_TEST_DIR}
/upper",workdir="${OVERLAYFS_TEST_DIR}/work" overlay /etc
#
# rm -f /etc/test.txt
# echo Test > /etc/test.txt
# cat /etc/test.txt
cat: /etc/test.txt: Permission denied
# ls -s /etc/test.txt
4 /etc/test.txt # <- The contents are there
# getfattr -m . -d /etc/test.txt
# # <- The hash isn't
The file size is still 0, when ima_check_last_writer() calls
ima_update_xattr(), which tries to calculate the file hash and write
it out an security.ima.
We found out that when forcibly setting the read flag in
ovl_open_realfile as seen in the attached patch the IMA attributes will
be set correctly again. It seems IMA cannot read the file contents and
thus cannot create the hash any more.
This is obviously not ready for production, but the best I currently have.
Ignaz
diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
index aeaefd2a551b..b96663a2fbac 100644
--- a/fs/overlayfs/file.c
+++ b/fs/overlayfs/file.c
@@ -23,13 +23,15 @@ static char ovl_whatisit(struct inode *inode, struct inode *realinode)
return 'm';
}
-static struct file *ovl_open_realfile(const struct file *file,
+static struct file *ovl_open_realfile(struct file *file,
struct inode *realinode)
{
struct inode *inode = file_inode(file);
struct file *realfile;
const struct cred *old_cred;
+ file->f_flags &= ~O_WRONLY;
+ file->f_flags |= O_RDWR;
old_cred = ovl_override_creds(inode->i_sb);
realfile = open_with_fake_path(&file->f_path, file->f_flags | O_NOATIME,
realinode, current_cred());
