Received: by 2002:a05:7412:bbc7:b0:fc:a2b0:25d7 with SMTP id kh7csp934278rdb; Fri, 2 Feb 2024 08:18:36 -0800 (PST) X-Google-Smtp-Source: AGHT+IEZtEyDLL4w3h6KK3wwW+uhbVkupPPrVdxPGtXKBibDIVpg0ElaOsWq/kQgWSTp0UX12ckp X-Received: by 2002:a9d:7995:0:b0:6dc:1ff:e36a with SMTP id h21-20020a9d7995000000b006dc01ffe36amr8580071otm.6.1706890716340; Fri, 02 Feb 2024 08:18:36 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706890716; cv=pass; d=google.com; s=arc-20160816; b=FFIbqLyVfQtMlK904EysNESwIy5SdKsfX30ynTyzfcvCO7yTgC3VrbfHQpi3KExJVv 62ZmIR950FEkDF16/BBt6gqdpzDbxMuq5RGHEmf9yeEZpeW8Tp6pTRm2jTSZmhWwhpDz zbVJe3qDn/up3sTT9VfCJM69qFvr+S+8FUHvdaonQRoHAYUNtdp5wzU6JMaIuqVYUpcH c8ZXFji1kkZXThOKW8qGHXLmwEsva16nLdMs1JkSojgfKr7oST5spa3FYjsR3e0U5FdK 7DPSAmQUTri/89eEfozQwvwxwdhVx0cuGH+s37zJMxdt4YPzmDIa4Ai7p4yRGg5yYRf8 kkxQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :dkim-signature; bh=usSbcGb3RaqV2RSxPABIImzxqQW1/1sLUrrVWBoBbA4=; fh=a2T1NewE3omLw63wJp8q7znzqRJ0PXKghZN0CG++8dU=; b=uf5vInVjXbDdMYuBZGzgSx8ZXqrdLZ+u8AtNtK9c7YEN+zCyZU1ynlY0KTcfKmD6JF fEKsq+kG682y+Vfx/fYZCKFC7LXOyWLYk12mwZIVkCKasy+9smMJiVAw4Pzm/B5OWCux qvejIFZIJ/sKEVvitJGMbmzu2Bnv9DPkfZKvA+YCLsW1/9QPAFFYgs3qTVtEMSBIXy/P TxYEsLWaSVJRE4OLTIB3lHq3Zs5ixat2aqZj9RGeden7Nw3c7e1GIqn0UixYWQvuxqLo nssc33k5jJpeE3V0drDoJqD5/aclSt9fp6xMdIcbvzBo09jxGL/JU4z6y5G67/bCz556 EWuw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=dfKmQUq5; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-50121-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-50121-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com X-Forwarded-Encrypted: i=1; AJvYcCU+AeeKY1PMwhequhhTQF/1rrUuxq9Xio/gHWqiajMocADVfD9NiTwE1KtjtQw18FKMZHYX4Nn7Lz2/k6gOF0uqQOWeOdj282b4nb0e9Q== Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id j6-20020a0561023e0600b00469b93f5318si394921vsv.461.2024.02.02.08.18.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Feb 2024 08:18:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-50121-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=dfKmQUq5; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-50121-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-50121-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id C575B1C2577E for ; Fri, 2 Feb 2024 16:17:58 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9EF4F1474CC; Fri, 2 Feb 2024 16:17:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="dfKmQUq5" Received: from mail-qv1-f48.google.com (mail-qv1-f48.google.com [209.85.219.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A132F146910; Fri, 2 Feb 2024 16:17:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.48 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706890670; cv=none; b=QTvFd0k1NZ8pfxA/FAVml9jAL8uFyZ0b/s9Abp5bvGtv+rdssfvXclVK77OpJBJ+eIFQGWHyILNiFgo5J2jE9/RynAzYSxYGXhAnyWqFCyYAD3bSfeSIHJjY9maosyEN5hjvwq16Te8TR7VoBuS6Dj0sBvJ+pbwWunGn0on6GV4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706890670; c=relaxed/simple; bh=usSbcGb3RaqV2RSxPABIImzxqQW1/1sLUrrVWBoBbA4=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=ClC0MV9cteTl84Ugcgc3GzGdeRxhglujelQsXKtTtyAgj4eCztydQCLhxRHH+l+H6lXAtQxRXaOXoIb/FYXsmplN04Mj1KiZSUby2Sub8oq4zN8DwaVmOQj6gxj4vduWBdTd30HNJG0bxLGJ8D2o/vo+FyOGEKubjQSmfuN9LvM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=dfKmQUq5; arc=none smtp.client-ip=209.85.219.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-qv1-f48.google.com with SMTP id 6a1803df08f44-68c2f4c3282so11054556d6.3; Fri, 02 Feb 2024 08:17:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1706890664; x=1707495464; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=usSbcGb3RaqV2RSxPABIImzxqQW1/1sLUrrVWBoBbA4=; b=dfKmQUq5W4Jbji25529djB8EKLpQgzwsweRjVIDp4BNXKQ7CjoO6Z04eJz4cPbZ6Pa 5QzosVnCOLSzjfvvPqDB4GshMcT5uTTlSnYNW1mnvcGFtjaHNaodkhmZjFDEbm5ydNwH xJwJzWAsxFL3oUzDWiaFFKtMRis+25Ft979VpxEWgwKS9CNKh6N+hiJ1uTR3l0xM5D5v ZoauHgO1H9Zo/tPZyIk2yskTGcU/FS0nLJLDzZDfyPt8yhcrEgMPOd/A0megjIuIFwHJ Z/CKbfjIchNj3J6wnz5wL4wSKPVZ0EdEJdCSAn6IJtnxj+r/hzg44cwme+t+G2oDm8MT +/LA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706890664; x=1707495464; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=usSbcGb3RaqV2RSxPABIImzxqQW1/1sLUrrVWBoBbA4=; b=QEKdTnhtst/7BA7QvA28F1AkMo2ysNDcMzIccOfHAAFWocBVVcHL6YW0uq+I7jlWVk QyIwMQBBGk9JNMsMLTOk+XslV/70NGVv6S6rOixi/WKNdd3Zk6FhsAmAMpT32Ia8SzJP h6mrYds4Jky6w7YhLdt8oB6h4+eEHAneZOLW0ga7JQUPs0x+FfdLUAZPQ6Lcz6WNbJHm lKg7InTgyRBLuuRoE4gF0t2F2/7YRTuIkF8xKWYWaWAXgcZt24QItxD/8t4WEWvZ27QL Yugq8xNS4c11N5EXY4dX85eq+AgcRtq7J+/PXUWs2jhLdCdE0dIA5l8L5wp0yVZZEPAg YPNw== X-Gm-Message-State: AOJu0YyLm3vWh0RIo0Bqre6FnVFztwGOMrr6+As+4JQ9QVmqFpNE+piT wNPCFHTYAE8Z0egpJwMtzOTZllFo6nyBflE6WGUvpUL+AoDf7i67b4IzyuS0ZSXPIxVxhrGCWB0 8Ch3NlDjWW48hQwMOpDLuxuzcE3M= X-Received: by 2002:a0c:cc94:0:b0:68c:8904:69ed with SMTP id f20-20020a0ccc94000000b0068c890469edmr1434169qvl.39.1706890664563; Fri, 02 Feb 2024 08:17:44 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240130214620.3155380-1-stefanb@linux.ibm.com> <20240130214620.3155380-5-stefanb@linux.ibm.com> <38230b4c-54ae-45ed-a6fb-34e63501e5b1@linux.ibm.com> <492ea12a-d79d-47da-9bbe-a7f33051bd3f@linux.ibm.com> <4c584bfb-d282-4584-bb20-18c26b1033c0@linux.ibm.com> <11abffea-15c5-4d13-9d0f-edbc54b09bf3@linux.ibm.com> <427ce381-73fa-48f9-8e18-77e23813b918@linux.ibm.com> <4ce0e20d-ed14-490d-9446-a6cfbd532bca@linux.ibm.com> In-Reply-To: <4ce0e20d-ed14-490d-9446-a6cfbd532bca@linux.ibm.com> From: Amir Goldstein Date: Fri, 2 Feb 2024 18:17:32 +0200 Message-ID: Subject: Re: [PATCH 4/5] evm: Use the real inode's metadata to calculate metadata hash To: Stefan Berger Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-unionfs@vger.kernel.org, linux-kernel@vger.kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, miklos@szeredi.hu Content-Type: text/plain; charset="UTF-8" > The odd thing is my updated test case '2' seems to indicate that > everything already works as expected with CONFIG_OVERLAY_FS_METACOPY=y. > After causing copy-up of metadata changes to the file content on the > lower layer still cause permission error to file execution on the > overlay layer and after restoring the file content on the lower the file > on the overlay again runs as expected. The file content change + copy-up > of file content also has completely decoupled the lower file from the > file on the overlay and changes to the file on the lower cause no more > file execution rejections on the overlay. > Sorry, you lost me. The combination of IMA+EVM+OVL must be too complicated to explain in plain language without an explicit test spelled out... When you write "The file content change + copy-up of file content also has completely decoupled the lower file from the file on the overlay", what do you mean by "copy up of the file content"? Why was the file content copied up? I was asking about use case that only metadata was copied up but lower file content, which is still the content of the ovl file was changed underneath ovl - this case does not cause data content to be copied up. I don't think we understand each other. Thanks, Amir.