[Linux-ima-devel] Write a file in to overlayfs will get stucked in linux-3.18 with IMA fix mode

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

Write a file into a overlayfs may cause the process get stucked, this
is because in IMA fix mode, IMA will fix the xattr of files.
ima_check_last_writer() holds inode->i_mutex, and call
__vfs_setxattr_noperm(). It works with most filesystems. But not
overlayfs, overlayfs calls vfs_setxattr which also holds
inode->i_mutex, when works with IMA fix mode, process will get
stucked.

But for the recent linux-4.13, there is no such problem, VFS changed a
lot. I wrote a patch for linux-3.18 to make overlayfs works in IMA fix
mode. It works, but I don't know if it is reasonable, could you give
some advices ?

 security/integrity/ima/ima_main.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/security/integrity/ima/ima_main.c
b/security/integrity/ima/ima_main.c
index 62f59ec..171fe9b 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -120,7 +120,12 @@ static void ima_check_last_writer(struct
integrity_iint_cache *iint,
   if (!(mode & FMODE_WRITE))
       return;
-   mutex_lock(&inode->i_mutex);
+   /*
+    * For overlayfs, it calls vfs_setxattr which holds inode->i_mutex,
+    * so, don't lock inode.
+    */
+   if (inode == file->f_dentry->d_inode)
+       mutex_lock(&inode->i_mutex);
   if (atomic_read(&inode->i_writecount) == 1) {
       if ((iint->version != inode->i_version) ||
        (iint->flags & IMA_NEW_FILE)) {
@@ -129,7 +134,8 @@ static void ima_check_last_writer(struct
integrity_iint_cache *iint,
               ima_update_xattr(iint, file);
       }
   }
-   mutex_unlock(&inode->i_mutex);
+   if (inode == file->f_dentry->d_inode)
+       mutex_unlock(&inode->i_mutex);
}
/**
-- 
1.9.1

-- 
Cheers,
Rock


