Re: [PATCH 4/5] evm: Use the real inode's metadata to calculate metadata hash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 2/2/24 11:17, Amir Goldstein wrote:
The odd thing is my updated test case '2' seems to indicate that
everything already works as expected with CONFIG_OVERLAY_FS_METACOPY=y.
After causing copy-up of metadata changes to the file content on the
lower layer still cause permission error to file execution on the
overlay layer and after restoring the file content on the lower the file
on the overlay again runs as expected. The file content change + copy-up
of file content also has completely decoupled the lower file from the
file on the overlay and changes to the file on the lower cause no more
file execution rejections on the overlay.


Sorry, you lost me.
The combination of IMA+EVM+OVL must be too complicated to
explain in plain language without an explicit test spelled out...

When you write "The file content change + copy-up of file content also
has completely decoupled the lower file from the file on the overlay",
what do you mean by "copy up of the file content"?
Why was the file content copied up?

The file was copied up by appending a byte to the file on the 'overlay'.

I was asking about use case that only metadata was copied up but
lower file content, which is still the content of the ovl file was changed
underneath ovl - this case does not cause data content to be copied up.

I don't think we understand each other.

One of the test cases I also have is appending a byte to the file on the
'lower'. At this point in the test one can detect whether CONFIG_OVERLAY_FS_METACOPY is enabled by checking the sha1 of the files on the lower and overlay layers and comparing their hashes. If they are equal then CONFIG_OVERLAY_FS_METACOPY is enabled since previously in the test file metadata on the overlay layer was already changed, which in the CONFIG_OVERLAY_FS_METACOPY=y case only caused a copy-up of metadata. So, when trying to execute the file on the overlay layer the file cannot be executed due to the file content change on the lower layer (IMA should be the one detecting this, need to check) still 'shining through'. After restoring the file content on the lower layer the file again executes on the 'overlay' layer - as expected.

   Stefan



Thanks,
Amir.




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux