Hi,
as a follow up to my attempts to use overlayfs on an IMA protected
system[1] I've now tried to also enable EVM. From what I understand this
should - at least in theory - be possible: EVM will call
d_backing_inode(dentry), which I thought would get the inode of the
underlying file system[2], and use that for HMAC verification.
In practice simply trying to access an existing file will fail with
"Permission denied" already. In the corresponding audit log I can see
the file access (failed with "invalid-HMAC"), but with an inode number
unknown to me - stat returns a completely different number for the file
in the lower and target dir.
For testing purposes I added a new hashing algorithm to
evm_ima_xattr_type which will not add the file system specific
attributes (inode number, generation, file system uuid) to the hash -
just like EVM_XATTR_PORTABLE_DIGSIG, but with the hashes generated by
the kernel. Files created with this signature can be read correctly,
though writing the files will still fail.
Unfortunately I'm out of ideas what is happening here. If anybody wants
to have a look at this: Any help would be appreciated.
Kind Regards,
Ignaz
[1] https://www.spinics.net/lists/linux-integrity/msg03593.html
[2] https://www.kernel.org/doc/htmldocs/filesystems/API-d-backing-inode.html
