On Thu, Jan 17, 2019 at 5:02 PM Goldwyn Rodrigues <rgoldwyn@xxxxxxx> wrote: > > On 8:57 17/01, Amir Goldstein wrote: > > On Thu, Jan 17, 2019 at 1:22 AM Goldwyn Rodrigues <rgoldwyn@xxxxxxx> wrote: > > > > > > Since copy_up() happens when you are modifying a file on overlay, > > > it is still a new file for the underlying filesystem. Mark it > > > in IMA for re-evaluating as a new file. > > > > > > Putting ima calls within overlayfs may not be the best method, but this is > > > the only one which I thought would work. > > > > > > > Doesn't look right. > > Overlayfs creates the new inode with vfs_tmpfile() and I think that is > > where you should plug the IMA hook. > > > > > Here is a test case: > > > mount /dev/vdb /lower > > > mount /dev/vdc /upper > > > echo "Original contents" > /lower/existingfile.txt > > > mount -t overlay overlay /mnt -o upperdir=/upper/upper,workdir=/upper/workdir,lowerdir=/lower > > > echo "New contents" > /mnt/existingfile.txt > > > > > > > I bet you can reproduce that same issue without overlayfs > > by creating an O_TMPFILE from userspace. > > > > The ima_file_check() hook in do_last() does not cover the O_TMPFILE > > case. > > > > The problem you mention was resolved by https://lkml.org/lkml/2018/12/18/809 > which I have in my tree. > The proposed hook ima_post_create_tmpfile() inside do_tmpfile() takes a file argument, uses only file_inode() and sets IMA_NEW_FILE. Now because that hook does not get called from vfs_tmpfile() you want to add more ima hook inside overlayfs code after calling vfs_tmpfile(). If you move the IMA hook inside vfs_tmpfile() and pass the dentry or inode, you will get the same result and you won't need to change overlayfs code. Is there a problem with that proposal? Thanks, Amir.
