This series fixes the detection of read/write violations on stacked
filesystems. To be able to access the relevant dentries necessary to
detect files opened for writing on a stacked filesystem a new d_real_type
D_REAL_FILEDATA is introduced that allows callers to access all relevant
files involved in a stacked filesystem.
Stefan
Stefan Berger (2):
ovl: Define D_REAL_FILEDATA for d_real to return dentry with data
ima: Fix detection of read/write violations on stacked filesystems
fs/overlayfs/super.c | 6 ++++++
include/linux/dcache.h | 1 +
security/integrity/ima/ima_main.c | 27 ++++++++++++++++++++++-----
3 files changed, 29 insertions(+), 5 deletions(-)
--
2.43.0
Define D_REAL_FILEDATA which is to be used as a parameter for d_real()
to return the dentry that is holding the file data, which is either the
upper or the lower denry. The caller is expected to call d_real() again
on the returned dentry to get to lower layers of a stacked filesystem,
if available.
Signed-off-by: Stefan Berger <[email protected]>
---
fs/overlayfs/super.c | 6 ++++++
include/linux/dcache.h | 1 +
2 files changed, 7 insertions(+)
diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
index 06a231970cb5..f466ad89b005 100644
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -36,6 +36,7 @@ static struct dentry *ovl_d_real(struct dentry *dentry, enum d_real_type type)
switch (type) {
case D_REAL_DATA:
case D_REAL_METADATA:
+ case D_REAL_FILEDATA:
break;
default:
goto bug;
@@ -47,6 +48,11 @@ static struct dentry *ovl_d_real(struct dentry *dentry, enum d_real_type type)
}
upper = ovl_dentry_upper(dentry);
+ if (type == D_REAL_FILEDATA) {
+ if (ovl_has_upperdata(d_inode(dentry)))
+ return upper;
+ return ovl_dentry_lower(dentry);
+ }
if (upper && (type == D_REAL_METADATA ||
ovl_has_upperdata(d_inode(dentry))))
return upper;
diff --git a/include/linux/dcache.h b/include/linux/dcache.h
index bf53e3894aae..e4e54fb2cf4e 100644
--- a/include/linux/dcache.h
+++ b/include/linux/dcache.h
@@ -128,6 +128,7 @@ enum dentry_d_lock_class
enum d_real_type {
D_REAL_DATA,
D_REAL_METADATA,
+ D_REAL_FILEDATA,
};
struct dentry_operations {
--
2.43.0
On Fri, Apr 12, 2024 at 5:01 PM Stefan Berger <[email protected]> wrote:
>
> Define D_REAL_FILEDATA which is to be used as a parameter for d_real()
> to return the dentry that is holding the file data, which is either the
D_REAL_DATA already does that
> upper or the lower denry. The caller is expected to call d_real() again
> on the returned dentry to get to lower layers of a stacked filesystem,
> if available.
>
> Signed-off-by: Stefan Berger <[email protected]>
> ---
> fs/overlayfs/super.c | 6 ++++++
> include/linux/dcache.h | 1 +
> 2 files changed, 7 insertions(+)
>
> diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
> index 06a231970cb5..f466ad89b005 100644
> --- a/fs/overlayfs/super.c
> +++ b/fs/overlayfs/super.c
> @@ -36,6 +36,7 @@ static struct dentry *ovl_d_real(struct dentry *dentry, enum d_real_type type)
> switch (type) {
> case D_REAL_DATA:
> case D_REAL_METADATA:
> + case D_REAL_FILEDATA:
> break;
> default:
> goto bug;
> @@ -47,6 +48,11 @@ static struct dentry *ovl_d_real(struct dentry *dentry, enum d_real_type type)
> }
>
> upper = ovl_dentry_upper(dentry);
> + if (type == D_REAL_FILEDATA) {
> + if (ovl_has_upperdata(d_inode(dentry)))
> + return upper;
This one is already the returned value for D_REAL_DATA
> + return ovl_dentry_lower(dentry);
And this one is a wrong value, because the lower file's data is at
ovl_dentry_lowerdata(), which is what D_REAL_DATA
returns.
So it is not clear to me what it is that you tried to do here.
Thanks,
Amir.