Changes to the file attribute (mode bits, uid, gid) on the lower layer are not take into account when d_backing_inode() is used when a file is accessed on the overlay layer and this file has not yet been copied up. This is because d_backing_inode() does not return the real inode of the lower layer but instead returns the backing inode which holds old file attributes. When the old file attributes are used for calculating the metadata hash then the expected hash is calculated and the file then mistakenly passes signature verification. Therefore, use d_real_inode() which returns the inode of the lower layer for as long as the file has not been copied up and returns the upper layer's inode otherwise. Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx> --- security/integrity/evm/evm_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c index b1ffd4cc0b44..2e48fe54e899 100644 --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c @@ -223,7 +223,7 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, size_t req_xattr_value_len, uint8_t type, struct evm_digest *data) { - struct inode *inode = d_backing_inode(dentry); + struct inode *inode = d_real_inode(dentry); struct xattr_list *xattr; struct shash_desc *desc; size_t xattr_size = 0; -- 2.43.0