On 8:57 17/01, Amir Goldstein wrote: > On Thu, Jan 17, 2019 at 1:22 AM Goldwyn Rodrigues <rgoldwyn@xxxxxxx> wrote: > > > > Since copy_up() happens when you are modifying a file on overlay, > > it is still a new file for the underlying filesystem. Mark it > > in IMA for re-evaluating as a new file. > > > > Putting ima calls within overlayfs may not be the best method, but this is > > the only one which I thought would work. > > > > Doesn't look right. > Overlayfs creates the new inode with vfs_tmpfile() and I think that is > where you should plug the IMA hook. > > > Here is a test case: > > mount /dev/vdb /lower > > mount /dev/vdc /upper > > echo "Original contents" > /lower/existingfile.txt > > mount -t overlay overlay /mnt -o upperdir=/upper/upper,workdir=/upper/workdir,lowerdir=/lower > > echo "New contents" > /mnt/existingfile.txt > > > > I bet you can reproduce that same issue without overlayfs > by creating an O_TMPFILE from userspace. > > The ima_file_check() hook in do_last() does not cover the O_TMPFILE > case. > The problem you mention was resolved by https://lkml.org/lkml/2018/12/18/809 which I have in my tree. The current patch is on top of that. -- Goldwyn
