On Fri, 2018-09-07 at 18:49 +0200, Ignaz Forster wrote: > Hi, > > I'm currently experimenting with IMA / EVM on overlayfs, however those > don't seem to work together very well. > > With kernel 4.18 it was possible to at least partially use IMA. As long > as the O_TRUNC attribute was not set during a copy_up operation > everything seemed to work so far. > > Now when applying the changes from > https://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs.git/tag/?h=ovl-update-4.19 > (or using kernel 4.19-rc2) every file contents modification or creation > of a new file will fail, probably because the inode reported by > overlayfs does not match the physical inode number any more (and thus > the IMA hashes won't be generated). > > > A small example for reproduction (on a system with IMA appraisal): > # OVERLAYFS_TEST_DIR=`mktemp -d` > # mkdir "${OVERLAYFS_TEST_DIR}/upper" > # mkdir "${OVERLAYFS_TEST_DIR}/work" > # mount -t overlay -o lowerdir=/etc,upperdir="${OVERLAYFS_TEST_DIR} > /upper",workdir="${OVERLAYFS_TEST_DIR}/work" overlay /etc > # > # rm -f /etc/test.txt > # echo Test > /etc/test.txt > # cat /etc/test.txt > cat: /etc/test.txt: Permission denied > # ls -s /etc/test.txt > 4 /etc/test.txt # <- The contents are there > # getfattr -m . -d /etc/test.txt > # # <- The hash isn't > Thank you for providing the example. Also on a linux-4.18.0-rcX test kernel, the file hash isn't being written out either. The builtin "appraise_tcb" policy (eg. specified as "ima_policy=appraise_tcb" on the boot command) has a tmpfs dont_appraise rule. > After some debugging I'm not sure on how to continue from here. My > assumption is that overlayfs will have to be modified, however I fail to > see where to start. Please make sure that you're comparing the results based on using the same IMA policy. Mimi
