From: Mimi Zohar <zohar@xxxxxxxxxxxxx> Using the overlayfs i_ino value in the HMAC calculation results in not being able to validate the EVM HMAC. This patch calculates the HMAC using the real i_ino. Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> --- security/integrity/evm/evm_crypto.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c index 43e2dc3a60d0..baddbbce6ac7 100644 --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c @@ -241,6 +241,9 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, if (is_ima) ima_present = true; } + + /* Use the real i_ino to calculate the HMAC */ + inode = d_real_inode(dentry); hmac_add_misc(desc, inode, type, data->digest); /* Portable EVM signatures must include an IMA hash */ -- 2.20.1
