diff mbox series

[1/5] evm: instead of using the overlayfs i_ino, use the real i_ino

Message ID 20190211165323.9369-2-iforster@suse.com (mailing list archive)
State New, archived
Headers show
Series Fix overlayfs on EVM | expand

Commit Message

Ignaz Forster Feb. 11, 2019, 4:53 p.m. UTC 
From: Mimi Zohar <zohar@linux.ibm.com>

Using the overlayfs i_ino value in the HMAC calculation results in not
being able to validate the EVM HMAC.  This patch calculates the HMAC
using the real i_ino.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 security/integrity/evm/evm_crypto.c | 3 +++
 1 file changed, 3 insertions(+)
diff mbox series

Patch

diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index 43e2dc3a60d0..baddbbce6ac7 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -241,6 +241,9 @@  static int evm_calc_hmac_or_hash(struct dentry *dentry,
 		if (is_ima)
 			ima_present = true;
 	}
+
+	/* Use the real i_ino to calculate the HMAC */
+	inode = d_real_inode(dentry);
 	hmac_add_misc(desc, inode, type, data->digest);
 
 	/* Portable EVM signatures must include an IMA hash */