EVM: Permission denied with overlayfs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

as a follow up to my attempts to use overlayfs on an IMA protected system[1] I've now tried to also enable EVM. From what I understand this should - at least in theory - be possible: EVM will call d_backing_inode(dentry), which I thought would get the inode of the underlying file system[2], and use that for HMAC verification.
In practice simply trying to access an existing file will fail with 
"Permission denied" already. In the corresponding audit log I can see 
the file access (failed with "invalid-HMAC"), but with an inode number 
unknown to me - stat returns a completely different number for the file 
in the lower and target dir.
For testing purposes I added a new hashing algorithm to 
evm_ima_xattr_type which will not add the file system specific 
attributes (inode number, generation, file system uuid) to the hash - 
just like EVM_XATTR_PORTABLE_DIGSIG, but with the hashes generated by 
the kernel. Files created with this signature can be read correctly, 
though writing the files will still fail.
Unfortunately I'm out of ideas what is happening here. If anybody wants 
to have a look at this: Any help would be appreciated.
Kind Regards,
Ignaz

[1] https://www.spinics.net/lists/linux-integrity/msg03593.html
[2] https://www.kernel.org/doc/htmldocs/filesystems/API-d-backing-inode.html



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux