diff mbox series

[meta-security,7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue

Message ID 20230428122316.521800-8-stefanb@linux.ibm.com
State New
Headers show
Series Fix IMA and EVM support | expand

Commit Message

Stefan Berger April 28, 2023, 12:23 p.m. UTC 
Add a temporary patch that resolves a file change notification issue
with overlayfs where IMA did not become aware of the file changes
since the 'lower' inode's i_version had not changed. The issue will be
resolved in later kernels with the following patch that builds on
newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1:

https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 ...Increment-iversion-upon-file-changes.patch | 42 +++++++++++++++++++
 .../recipes-kernel/linux/linux_ima.inc        |  1 +
 2 files changed, 43 insertions(+)
 create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch

Comments

Mikko Rapeli April 28, 2023, 12:48 p.m. UTC | #1 
Hi,

On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote:
> Add a temporary patch that resolves a file change notification issue
> with overlayfs where IMA did not become aware of the file changes
> since the 'lower' inode's i_version had not changed. The issue will be
> resolved in later kernels with the following patch that builds on
> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1:
> 
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459

Would be nice to have Upstream-Status for each patch. I guess status
would be Backport here.

Cheers,

-Mikko

> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>  ...Increment-iversion-upon-file-changes.patch | 42 +++++++++++++++++++
>  .../recipes-kernel/linux/linux_ima.inc        |  1 +
>  2 files changed, 43 insertions(+)
>  create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> 
> diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> new file mode 100644
> index 0000000..d2b5c28
> --- /dev/null
> +++ b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> @@ -0,0 +1,42 @@
> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001
> +From: Stefan Berger <stefanb@linux.ibm.com>
> +Date: Thu, 6 Apr 2023 11:27:29 -0400
> +Subject: [PATCH] ovl: Increment iversion upon file changes
> +
> +This is a temporary patch for kernels that do not implement
> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one:
> +
> +https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> +
> +Increment the lower inode's iversion for IMA to be able to recognize
> +changes to the file.
> +
> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> +---
> + fs/overlayfs/file.c | 3 +++
> + 1 file changed, 3 insertions(+)
> +
> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
> +index 6011f955436b..1dfe5e7bfe1c 100644
> +--- a/fs/overlayfs/file.c
> ++++ b/fs/overlayfs/file.c
> +@@ -13,6 +13,7 @@
> + #include <linux/security.h>
> + #include <linux/mm.h>
> + #include <linux/fs.h>
> ++#include <linux/iversion.h>
> + #include "overlayfs.h"
> + 
> + struct ovl_aio_req {
> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter)
> + 		if (ret != -EIOCBQUEUED)
> + 			ovl_aio_cleanup_handler(aio_req);
> + 	}
> ++	if (ret > 0)
> ++		inode_maybe_inc_iversion(inode, false);
> + out:
> + 	revert_creds(old_cred);
> + out_fdput:
> +-- 
> +2.34.1
> +
> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc
> index 0b6f530..9d48e5c 100644
> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:"
>  
>  SRC_URI += " \
>      ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \
> +    file://0001-ovl-Increment-iversion-upon-file-changes.patch \
>  "
>  
>  do_configure() {
> -- 
> 2.34.1
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#59800): https://lists.yoctoproject.org/g/yocto/message/59800
> Mute This Topic: https://lists.yoctoproject.org/mt/98557297/7159507
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [mikko.rapeli@linaro.org]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Stefan Berger April 28, 2023, 12:55 p.m. UTC | #2 
On 4/28/23 08:48, Mikko Rapeli wrote:
> Hi,
> 
> On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote:
>> Add a temporary patch that resolves a file change notification issue
>> with overlayfs where IMA did not become aware of the file changes
>> since the 'lower' inode's i_version had not changed. The issue will be
>> resolved in later kernels with the following patch that builds on
>> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1:
>>
>> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> 
> Would be nice to have Upstream-Status for each patch. I guess status
> would be Backport here.

It's quite possible that this series here https://lkml.org/lkml/2022/10/21/624
(alone?) would provide the infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8)
and have that referenced patch applied which isn't upstreamed so far, either.

For now this two-liner seemed simpler and resolves the issue. I understand the concern, though...

      Stefan

> 
> Cheers,
> 
> -Mikko
> 
>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>> ---
>>   ...Increment-iversion-upon-file-changes.patch | 42 +++++++++++++++++++
>>   .../recipes-kernel/linux/linux_ima.inc        |  1 +
>>   2 files changed, 43 insertions(+)
>>   create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>>
>> diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>> new file mode 100644
>> index 0000000..d2b5c28
>> --- /dev/null
>> +++ b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>> @@ -0,0 +1,42 @@
>> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001
>> +From: Stefan Berger <stefanb@linux.ibm.com>
>> +Date: Thu, 6 Apr 2023 11:27:29 -0400
>> +Subject: [PATCH] ovl: Increment iversion upon file changes
>> +
>> +This is a temporary patch for kernels that do not implement
>> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one:
>> +
>> +https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
>> +
>> +Increment the lower inode's iversion for IMA to be able to recognize
>> +changes to the file.
>> +
>> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>> +---
>> + fs/overlayfs/file.c | 3 +++
>> + 1 file changed, 3 insertions(+)
>> +
>> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
>> +index 6011f955436b..1dfe5e7bfe1c 100644
>> +--- a/fs/overlayfs/file.c
>> ++++ b/fs/overlayfs/file.c
>> +@@ -13,6 +13,7 @@
>> + #include <linux/security.h>
>> + #include <linux/mm.h>
>> + #include <linux/fs.h>
>> ++#include <linux/iversion.h>
>> + #include "overlayfs.h"
>> +
>> + struct ovl_aio_req {
>> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter)
>> + 		if (ret != -EIOCBQUEUED)
>> + 			ovl_aio_cleanup_handler(aio_req);
>> + 	}
>> ++	if (ret > 0)
>> ++		inode_maybe_inc_iversion(inode, false);
>> + out:
>> + 	revert_creds(old_cred);
>> + out_fdput:
>> +--
>> +2.34.1
>> +
>> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>> index 0b6f530..9d48e5c 100644
>> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
>> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:"
>>   
>>   SRC_URI += " \
>>       ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \
>> +    file://0001-ovl-Increment-iversion-upon-file-changes.patch \
>>   "
>>   
>>   do_configure() {
>> -- 
>> 2.34.1
>>
> 
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#59800): https://lists.yoctoproject.org/g/yocto/message/59800
>> Mute This Topic: https://lists.yoctoproject.org/mt/98557297/7159507
>> Group Owner: yocto+owner@lists.yoctoproject.org
>> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [mikko.rapeli@linaro.org]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
>
Jose Quaresma May 9, 2023, 2:53 p.m. UTC | #3 
Hi Stefan,

Having this patch applied unconditionally to all kernels doesn't work and
the patch fails in many downstream kernels.
I suggest reverting this one if no other solutions come up.

Jose

Stefan Berger <stefanb@linux.ibm.com> escreveu no dia sexta, 28/04/2023
à(s) 13:55:

>
>
> On 4/28/23 08:48, Mikko Rapeli wrote:
> > Hi,
> >
> > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote:
> >> Add a temporary patch that resolves a file change notification issue
> >> with overlayfs where IMA did not become aware of the file changes
> >> since the 'lower' inode's i_version had not changed. The issue will be
> >> resolved in later kernels with the following patch that builds on
> >> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1:
> >>
> >>
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> >
> > Would be nice to have Upstream-Status for each patch. I guess status
> > would be Backport here.
>
> It's quite possible that this series here
> https://lkml.org/lkml/2022/10/21/624
> (alone? <https://lkml.org/lkml/2022/10/21/624(alone?>) would provide the
> infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8)
> and have that referenced patch applied which isn't upstreamed so far,
> either.
>
> For now this two-liner seemed simpler and resolves the issue. I understand
> the concern, though...
>
>       Stefan
>
> >
> > Cheers,
> >
> > -Mikko
> >
> >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> >> ---
> >>   ...Increment-iversion-upon-file-changes.patch | 42 +++++++++++++++++++
> >>   .../recipes-kernel/linux/linux_ima.inc        |  1 +
> >>   2 files changed, 43 insertions(+)
> >>   create mode 100644
> meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> >>
> >> diff --git
> a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> >> new file mode 100644
> >> index 0000000..d2b5c28
> >> --- /dev/null
> >> +++
> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> >> @@ -0,0 +1,42 @@
> >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001
> >> +From: Stefan Berger <stefanb@linux.ibm.com>
> >> +Date: Thu, 6 Apr 2023 11:27:29 -0400
> >> +Subject: [PATCH] ovl: Increment iversion upon file changes
> >> +
> >> +This is a temporary patch for kernels that do not implement
> >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one:
> >> +
> >> +
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> >> +
> >> +Increment the lower inode's iversion for IMA to be able to recognize
> >> +changes to the file.
> >> +
> >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> >> +---
> >> + fs/overlayfs/file.c | 3 +++
> >> + 1 file changed, 3 insertions(+)
> >> +
> >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
> >> +index 6011f955436b..1dfe5e7bfe1c 100644
> >> +--- a/fs/overlayfs/file.c
> >> ++++ b/fs/overlayfs/file.c
> >> +@@ -13,6 +13,7 @@
> >> + #include <linux/security.h>
> >> + #include <linux/mm.h>
> >> + #include <linux/fs.h>
> >> ++#include <linux/iversion.h>
> >> + #include "overlayfs.h"
> >> +
> >> + struct ovl_aio_req {
> >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb,
> struct iov_iter *iter)
> >> +            if (ret != -EIOCBQUEUED)
> >> +                    ovl_aio_cleanup_handler(aio_req);
> >> +    }
> >> ++   if (ret > 0)
> >> ++           inode_maybe_inc_iversion(inode, false);
> >> + out:
> >> +    revert_creds(old_cred);
> >> + out_fdput:
> >> +--
> >> +2.34.1
> >> +
> >> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc
> b/meta-integrity/recipes-kernel/linux/linux_ima.inc
> >> index 0b6f530..9d48e5c 100644
> >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
> >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
> >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:"
> >>
> >>   SRC_URI += " \
> >>       ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc',
> '', d)} \
> >> +    file://0001-ovl-Increment-iversion-upon-file-changes.patch \
> >>   "
> >>
> >>   do_configure() {
> >> --
> >> 2.34.1
> >>
> >
> >>
> >>
> >>
> >
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#59807):
> https://lists.yoctoproject.org/g/yocto/message/59807
> Mute This Topic: https://lists.yoctoproject.org/mt/98557297/5052612
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [
> quaresma.jose@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
Jose Quaresma May 9, 2023, 3:05 p.m. UTC | #4 
And it fails in other recipes like linux-firmware.
Because bitbake also tries to apply the patch to linux-firmware because it
uses the recipes-kernel/linux/linux-%.bbappend to check when the
integrity is enabled.

Jose

Jose Quaresma via lists.yoctoproject.org <quaresma.jose=
gmail.com@lists.yoctoproject.org> escreveu no dia terça, 9/05/2023 à(s)
15:53:

> Hi Stefan,
>
> Having this patch applied unconditionally to all kernels doesn't work and
> the patch fails in many downstream kernels.
> I suggest reverting this one if no other solutions come up.
>
> Jose
>
> Stefan Berger <stefanb@linux.ibm.com> escreveu no dia sexta, 28/04/2023
> à(s) 13:55:
>
>>
>>
>> On 4/28/23 08:48, Mikko Rapeli wrote:
>> > Hi,
>> >
>> > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote:
>> >> Add a temporary patch that resolves a file change notification issue
>> >> with overlayfs where IMA did not become aware of the file changes
>> >> since the 'lower' inode's i_version had not changed. The issue will be
>> >> resolved in later kernels with the following patch that builds on
>> >> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1:
>> >>
>> >>
>> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
>> >
>> > Would be nice to have Upstream-Status for each patch. I guess status
>> > would be Backport here.
>>
>> It's quite possible that this series here
>> https://lkml.org/lkml/2022/10/21/624
>> (alone? <https://lkml.org/lkml/2022/10/21/624(alone?>) would provide the
>> infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8)
>> and have that referenced patch applied which isn't upstreamed so far,
>> either.
>>
>> For now this two-liner seemed simpler and resolves the issue. I
>> understand the concern, though...
>>
>>       Stefan
>>
>> >
>> > Cheers,
>> >
>> > -Mikko
>> >
>> >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>> >> ---
>> >>   ...Increment-iversion-upon-file-changes.patch | 42
>> +++++++++++++++++++
>> >>   .../recipes-kernel/linux/linux_ima.inc        |  1 +
>> >>   2 files changed, 43 insertions(+)
>> >>   create mode 100644
>> meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>> >>
>> >> diff --git
>> a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>> >> new file mode 100644
>> >> index 0000000..d2b5c28
>> >> --- /dev/null
>> >> +++
>> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>> >> @@ -0,0 +1,42 @@
>> >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001
>> >> +From: Stefan Berger <stefanb@linux.ibm.com>
>> >> +Date: Thu, 6 Apr 2023 11:27:29 -0400
>> >> +Subject: [PATCH] ovl: Increment iversion upon file changes
>> >> +
>> >> +This is a temporary patch for kernels that do not implement
>> >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one:
>> >> +
>> >> +
>> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
>> >> +
>> >> +Increment the lower inode's iversion for IMA to be able to recognize
>> >> +changes to the file.
>> >> +
>> >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>> >> +---
>> >> + fs/overlayfs/file.c | 3 +++
>> >> + 1 file changed, 3 insertions(+)
>> >> +
>> >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
>> >> +index 6011f955436b..1dfe5e7bfe1c 100644
>> >> +--- a/fs/overlayfs/file.c
>> >> ++++ b/fs/overlayfs/file.c
>> >> +@@ -13,6 +13,7 @@
>> >> + #include <linux/security.h>
>> >> + #include <linux/mm.h>
>> >> + #include <linux/fs.h>
>> >> ++#include <linux/iversion.h>
>> >> + #include "overlayfs.h"
>> >> +
>> >> + struct ovl_aio_req {
>> >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb,
>> struct iov_iter *iter)
>> >> +            if (ret != -EIOCBQUEUED)
>> >> +                    ovl_aio_cleanup_handler(aio_req);
>> >> +    }
>> >> ++   if (ret > 0)
>> >> ++           inode_maybe_inc_iversion(inode, false);
>> >> + out:
>> >> +    revert_creds(old_cred);
>> >> + out_fdput:
>> >> +--
>> >> +2.34.1
>> >> +
>> >> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc
>> b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>> >> index 0b6f530..9d48e5c 100644
>> >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
>> >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>> >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:"
>> >>
>> >>   SRC_URI += " \
>> >>       ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc',
>> '', d)} \
>> >> +    file://0001-ovl-Increment-iversion-upon-file-changes.patch \
>> >>   "
>> >>
>> >>   do_configure() {
>> >> --
>> >> 2.34.1
>> >>
>> >
>> >>
>> >>
>> >>
>> >
>>
>>
>>
>>
>
> --
> Best regards,
>
> José Quaresma
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#59928):
> https://lists.yoctoproject.org/g/yocto/message/59928
> Mute This Topic: https://lists.yoctoproject.org/mt/98557297/5052612
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [
> quaresma.jose@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
Stefan Berger May 9, 2023, 4:20 p.m. UTC | #5 
On 5/9/23 10:53, Jose Quaresma wrote:
> Hi Stefan, 
> 
> Having this patch applied unconditionally to all kernels doesn't work and the patch fails in many downstream kernels.
> I suggest reverting this one if no other solutions come up.

Then let me drop this one. I just posted v2 of this series and can repost in v3 with this patch dropped and possibly
only have it applied in the OpenBMC project. I suppose my conclusion from OpenBMC, which currently works with a 6.1.15
kernel, that all other Yocto projects also now use a >= 6.1.15 kernel, was wrong?

     Stefan

> 
> Jose
> 
> Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>> escreveu no dia sexta, 28/04/2023 à(s) 13:55:
> 
> 
> 
>     On 4/28/23 08:48, Mikko Rapeli wrote:
>      > Hi,
>      >
>      > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote:
>      >> Add a temporary patch that resolves a file change notification issue
>      >> with overlayfs where IMA did not become aware of the file changes
>      >> since the 'lower' inode's i_version had not changed. The issue will be
>      >> resolved in later kernels with the following patch that builds on
>      >> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1:
>      >>
>      >> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459>
>      >
>      > Would be nice to have Upstream-Status for each patch. I guess status
>      > would be Backport here.
> 
>     It's quite possible that this series here https://lkml.org/lkml/2022/10/21/624
>     (alone? <https://lkml.org/lkml/2022/10/21/624(alone?>) would provide the infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8)
>     and have that referenced patch applied which isn't upstreamed so far, either.
> 
>     For now this two-liner seemed simpler and resolves the issue. I understand the concern, though...
> 
>            Stefan
> 
>      >
>      > Cheers,
>      >
>      > -Mikko
>      >
>      >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>
>      >> ---
>      >>   ...Increment-iversion-upon-file-changes.patch | 42 +++++++++++++++++++
>      >>   .../recipes-kernel/linux/linux_ima.inc        |  1 +
>      >>   2 files changed, 43 insertions(+)
>      >>   create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>      >>
>      >> diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>      >> new file mode 100644
>      >> index 0000000..d2b5c28
>      >> --- /dev/null
>      >> +++ b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>      >> @@ -0,0 +1,42 @@
>      >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001
>      >> +From: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>
>      >> +Date: Thu, 6 Apr 2023 11:27:29 -0400
>      >> +Subject: [PATCH] ovl: Increment iversion upon file changes
>      >> +
>      >> +This is a temporary patch for kernels that do not implement
>      >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one:
>      >> +
>      >> +https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459>
>      >> +
>      >> +Increment the lower inode's iversion for IMA to be able to recognize
>      >> +changes to the file.
>      >> +
>      >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>
>      >> +---
>      >> + fs/overlayfs/file.c | 3 +++
>      >> + 1 file changed, 3 insertions(+)
>      >> +
>      >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
>      >> +index 6011f955436b..1dfe5e7bfe1c 100644
>      >> +--- a/fs/overlayfs/file.c
>      >> ++++ b/fs/overlayfs/file.c
>      >> +@@ -13,6 +13,7 @@
>      >> + #include <linux/security.h>
>      >> + #include <linux/mm.h>
>      >> + #include <linux/fs.h>
>      >> ++#include <linux/iversion.h>
>      >> + #include "overlayfs.h"
>      >> +
>      >> + struct ovl_aio_req {
>      >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter)
>      >> +            if (ret != -EIOCBQUEUED)
>      >> +                    ovl_aio_cleanup_handler(aio_req);
>      >> +    }
>      >> ++   if (ret > 0)
>      >> ++           inode_maybe_inc_iversion(inode, false);
>      >> + out:
>      >> +    revert_creds(old_cred);
>      >> + out_fdput:
>      >> +--
>      >> +2.34.1
>      >> +
>      >> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>      >> index 0b6f530..9d48e5c 100644
>      >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
>      >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>      >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:"
>      >>
>      >>   SRC_URI += " \
>      >>       ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \
>      >> +    file://0001-ovl-Increment-iversion-upon-file-changes.patch \
>      >>   "
>      >>
>      >>   do_configure() {
>      >> --
>      >> 2.34.1
>      >>
>      >
>      >>
>      >>
>      >>
>      >
> 
>     -=-=-=-=-=-=-=-=-=-=-=-
>     Links: You receive all messages sent to this group.
>     View/Reply Online (#59807): https://lists.yoctoproject.org/g/yocto/message/59807 <https://lists.yoctoproject.org/g/yocto/message/59807>
>     Mute This Topic: https://lists.yoctoproject.org/mt/98557297/5052612 <https://lists.yoctoproject.org/mt/98557297/5052612>
>     Group Owner: yocto+owner@lists.yoctoproject.org <mailto:yocto%2Bowner@lists.yoctoproject.org>
>     Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub <https://lists.yoctoproject.org/g/yocto/unsub> [quaresma.jose@gmail.com <mailto:quaresma.jose@gmail.com>]
>     -=-=-=-=-=-=-=-=-=-=-=-
> 
> 
> 
> -- 
> Best regards,
> 
> José Quaresma
Jose Quaresma May 9, 2023, 5:02 p.m. UTC | #6 
Jose Quaresma via lists.yoctoproject.org <quaresma.jose=
gmail.com@lists.yoctoproject.org> escreveu no dia terça, 9/05/2023 à(s)
16:06:

> And it fails in other recipes like linux-firmware.
> Because bitbake also tries to apply the patch to linux-firmware because it
> uses the recipes-kernel/linux/linux-%.bbappend to check when the
> integrity is enabled.
>

I believe that the full patchset needs to be reverted because it also
breaks linux-firmware even reverting this patch.

Jose


>
> Jose
>
> Jose Quaresma via lists.yoctoproject.org <quaresma.jose=
> gmail.com@lists.yoctoproject.org> escreveu no dia terça, 9/05/2023 à(s)
> 15:53:
>
>> Hi Stefan,
>>
>> Having this patch applied unconditionally to all kernels doesn't work and
>> the patch fails in many downstream kernels.
>> I suggest reverting this one if no other solutions come up.
>>
>> Jose
>>
>> Stefan Berger <stefanb@linux.ibm.com> escreveu no dia sexta, 28/04/2023
>> à(s) 13:55:
>>
>>>
>>>
>>> On 4/28/23 08:48, Mikko Rapeli wrote:
>>> > Hi,
>>> >
>>> > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote:
>>> >> Add a temporary patch that resolves a file change notification issue
>>> >> with overlayfs where IMA did not become aware of the file changes
>>> >> since the 'lower' inode's i_version had not changed. The issue will be
>>> >> resolved in later kernels with the following patch that builds on
>>> >> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1:
>>> >>
>>> >>
>>> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
>>> >
>>> > Would be nice to have Upstream-Status for each patch. I guess status
>>> > would be Backport here.
>>>
>>> It's quite possible that this series here
>>> https://lkml.org/lkml/2022/10/21/624
>>> (alone? <https://lkml.org/lkml/2022/10/21/624(alone?>) would provide
>>> the infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8)
>>> and have that referenced patch applied which isn't upstreamed so far,
>>> either.
>>>
>>> For now this two-liner seemed simpler and resolves the issue. I
>>> understand the concern, though...
>>>
>>>       Stefan
>>>
>>> >
>>> > Cheers,
>>> >
>>> > -Mikko
>>> >
>>> >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>>> >> ---
>>> >>   ...Increment-iversion-upon-file-changes.patch | 42
>>> +++++++++++++++++++
>>> >>   .../recipes-kernel/linux/linux_ima.inc        |  1 +
>>> >>   2 files changed, 43 insertions(+)
>>> >>   create mode 100644
>>> meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>>> >>
>>> >> diff --git
>>> a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>>> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>>> >> new file mode 100644
>>> >> index 0000000..d2b5c28
>>> >> --- /dev/null
>>> >> +++
>>> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>>> >> @@ -0,0 +1,42 @@
>>> >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00
>>> 2001
>>> >> +From: Stefan Berger <stefanb@linux.ibm.com>
>>> >> +Date: Thu, 6 Apr 2023 11:27:29 -0400
>>> >> +Subject: [PATCH] ovl: Increment iversion upon file changes
>>> >> +
>>> >> +This is a temporary patch for kernels that do not implement
>>> >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one:
>>> >> +
>>> >> +
>>> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
>>> >> +
>>> >> +Increment the lower inode's iversion for IMA to be able to recognize
>>> >> +changes to the file.
>>> >> +
>>> >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>>> >> +---
>>> >> + fs/overlayfs/file.c | 3 +++
>>> >> + 1 file changed, 3 insertions(+)
>>> >> +
>>> >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
>>> >> +index 6011f955436b..1dfe5e7bfe1c 100644
>>> >> +--- a/fs/overlayfs/file.c
>>> >> ++++ b/fs/overlayfs/file.c
>>> >> +@@ -13,6 +13,7 @@
>>> >> + #include <linux/security.h>
>>> >> + #include <linux/mm.h>
>>> >> + #include <linux/fs.h>
>>> >> ++#include <linux/iversion.h>
>>> >> + #include "overlayfs.h"
>>> >> +
>>> >> + struct ovl_aio_req {
>>> >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb
>>> *iocb, struct iov_iter *iter)
>>> >> +            if (ret != -EIOCBQUEUED)
>>> >> +                    ovl_aio_cleanup_handler(aio_req);
>>> >> +    }
>>> >> ++   if (ret > 0)
>>> >> ++           inode_maybe_inc_iversion(inode, false);
>>> >> + out:
>>> >> +    revert_creds(old_cred);
>>> >> + out_fdput:
>>> >> +--
>>> >> +2.34.1
>>> >> +
>>> >> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc
>>> b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>>> >> index 0b6f530..9d48e5c 100644
>>> >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
>>> >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>>> >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:"
>>> >>
>>> >>   SRC_URI += " \
>>> >>       ${@bb.utils.contains('DISTRO_FEATURES', 'ima',
>>> 'file://ima.scc', '', d)} \
>>> >> +    file://0001-ovl-Increment-iversion-upon-file-changes.patch \
>>> >>   "
>>> >>
>>> >>   do_configure() {
>>> >> --
>>> >> 2.34.1
>>> >>
>>> >
>>> >>
>>> >>
>>> >>
>>> >
>>>
>>>
>>>
>>>
>>
>> --
>> Best regards,
>>
>> José Quaresma
>>
>>
>>
>>
>
> --
> Best regards,
>
> José Quaresma
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#59929):
> https://lists.yoctoproject.org/g/yocto/message/59929
> Mute This Topic: https://lists.yoctoproject.org/mt/98557297/5052612
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [
> quaresma.jose@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
Stefan Berger May 9, 2023, 5:03 p.m. UTC | #7 
On 5/9/23 10:53, Jose Quaresma wrote:

> Hi Stefan,
> 
> Having this patch applied unconditionally to all kernels doesn't work and the patch fails in many downstream kernels.
> I suggest reverting this one if no other solutions come up.

Oh, I just saw the patches were applied to meta-security already. Alright, I will send a separate patch to
drop this patch.

    Stefan
> 
> Jose
> 
> Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>> escreveu no dia sexta, 28/04/2023 à(s) 13:55:
> 
> 
> 
>     On 4/28/23 08:48, Mikko Rapeli wrote:
>      > Hi,
>      >
>      > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote:
>      >> Add a temporary patch that resolves a file change notification issue
>      >> with overlayfs where IMA did not become aware of the file changes
>      >> since the 'lower' inode's i_version had not changed. The issue will be
>      >> resolved in later kernels with the following patch that builds on
>      >> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1:
>      >>
>      >> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459>
>      >
>      > Would be nice to have Upstream-Status for each patch. I guess status
>      > would be Backport here.
> 
>     It's quite possible that this series here https://lkml.org/lkml/2022/10/21/624
>     (alone? <https://lkml.org/lkml/2022/10/21/624(alone?>) would provide the infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8)
>     and have that referenced patch applied which isn't upstreamed so far, either.
> 
>     For now this two-liner seemed simpler and resolves the issue. I understand the concern, though...
> 
>            Stefan
> 
>      >
>      > Cheers,
>      >
>      > -Mikko
>      >
>      >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>
>      >> ---
>      >>   ...Increment-iversion-upon-file-changes.patch | 42 +++++++++++++++++++
>      >>   .../recipes-kernel/linux/linux_ima.inc        |  1 +
>      >>   2 files changed, 43 insertions(+)
>      >>   create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>      >>
>      >> diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>      >> new file mode 100644
>      >> index 0000000..d2b5c28
>      >> --- /dev/null
>      >> +++ b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>      >> @@ -0,0 +1,42 @@
>      >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001
>      >> +From: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>
>      >> +Date: Thu, 6 Apr 2023 11:27:29 -0400
>      >> +Subject: [PATCH] ovl: Increment iversion upon file changes
>      >> +
>      >> +This is a temporary patch for kernels that do not implement
>      >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one:
>      >> +
>      >> +https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459>
>      >> +
>      >> +Increment the lower inode's iversion for IMA to be able to recognize
>      >> +changes to the file.
>      >> +
>      >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>
>      >> +---
>      >> + fs/overlayfs/file.c | 3 +++
>      >> + 1 file changed, 3 insertions(+)
>      >> +
>      >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
>      >> +index 6011f955436b..1dfe5e7bfe1c 100644
>      >> +--- a/fs/overlayfs/file.c
>      >> ++++ b/fs/overlayfs/file.c
>      >> +@@ -13,6 +13,7 @@
>      >> + #include <linux/security.h>
>      >> + #include <linux/mm.h>
>      >> + #include <linux/fs.h>
>      >> ++#include <linux/iversion.h>
>      >> + #include "overlayfs.h"
>      >> +
>      >> + struct ovl_aio_req {
>      >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter)
>      >> +            if (ret != -EIOCBQUEUED)
>      >> +                    ovl_aio_cleanup_handler(aio_req);
>      >> +    }
>      >> ++   if (ret > 0)
>      >> ++           inode_maybe_inc_iversion(inode, false);
>      >> + out:
>      >> +    revert_creds(old_cred);
>      >> + out_fdput:
>      >> +--
>      >> +2.34.1
>      >> +
>      >> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>      >> index 0b6f530..9d48e5c 100644
>      >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
>      >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>      >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:"
>      >>
>      >>   SRC_URI += " \
>      >>       ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \
>      >> +    file://0001-ovl-Increment-iversion-upon-file-changes.patch \
>      >>   "
>      >>
>      >>   do_configure() {
>      >> --
>      >> 2.34.1
>      >>
>      >
>      >>
>      >>
>      >>
>      >
> 
> 
> 
> 
> 
> -- 
> Best regards,
> 
> José Quaresma
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#59928): https://lists.yoctoproject.org/g/yocto/message/59928
> Mute This Topic: https://lists.yoctoproject.org/mt/98557297/1792208
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [stefanb@linux.ibm.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Jose Quaresma May 9, 2023, 5:05 p.m. UTC | #8 
Stefan Berger <stefanb@linux.ibm.com> escreveu no dia terça, 9/05/2023 à(s)
17:21:

>
>
> On 5/9/23 10:53, Jose Quaresma wrote:
> > Hi Stefan,
> >
> > Having this patch applied unconditionally to all kernels doesn't work
> and the patch fails in many downstream kernels.
> > I suggest reverting this one if no other solutions come up.
>
> Then let me drop this one. I just posted v2 of this series and can repost
> in v3 with this patch dropped and possibly
> only have it applied in the OpenBMC project. I suppose my conclusion from
> OpenBMC, which currently works with a 6.1.15
> kernel, that all other Yocto projects also now use a >= 6.1.15 kernel, was
> wrong?
>

yup! is also my opinion.
but after reverting this patch some other new issues comes up because the
ima side effects changes
so linux-firmware dont build any more.

Jose


>      Stefan
>
> >
> > Jose
> >
> > Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>
> escreveu no dia sexta, 28/04/2023 à(s) 13:55:
> >
> >
> >
> >     On 4/28/23 08:48, Mikko Rapeli wrote:
> >      > Hi,
> >      >
> >      > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote:
> >      >> Add a temporary patch that resolves a file change notification
> issue
> >      >> with overlayfs where IMA did not become aware of the file changes
> >      >> since the 'lower' inode's i_version had not changed. The issue
> will be
> >      >> resolved in later kernels with the following patch that builds on
> >      >> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1:
> >      >>
> >      >>
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> <
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> >
> >      >
> >      > Would be nice to have Upstream-Status for each patch. I guess
> status
> >      > would be Backport here.
> >
> >     It's quite possible that this series here
> https://lkml.org/lkml/2022/10/21/624
> >     (alone? <https://lkml.org/lkml/2022/10/21/624(alone?>) would
> provide the infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8)
> >     and have that referenced patch applied which isn't upstreamed so
> far, either.
> >
> >     For now this two-liner seemed simpler and resolves the issue. I
> understand the concern, though...
> >
> >            Stefan
> >
> >      >
> >      > Cheers,
> >      >
> >      > -Mikko
> >      >
> >      >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto:
> stefanb@linux.ibm.com>>
> >      >> ---
> >      >>   ...Increment-iversion-upon-file-changes.patch | 42
> +++++++++++++++++++
> >      >>   .../recipes-kernel/linux/linux_ima.inc        |  1 +
> >      >>   2 files changed, 43 insertions(+)
> >      >>   create mode 100644
> meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> >      >>
> >      >> diff --git
> a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> >      >> new file mode 100644
> >      >> index 0000000..d2b5c28
> >      >> --- /dev/null
> >      >> +++
> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> >      >> @@ -0,0 +1,42 @@
> >      >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17
> 00:00:00 2001
> >      >> +From: Stefan Berger <stefanb@linux.ibm.com <mailto:
> stefanb@linux.ibm.com>>
> >      >> +Date: Thu, 6 Apr 2023 11:27:29 -0400
> >      >> +Subject: [PATCH] ovl: Increment iversion upon file changes
> >      >> +
> >      >> +This is a temporary patch for kernels that do not implement
> >      >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this
> one:
> >      >> +
> >      >> +
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> <
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> >
> >      >> +
> >      >> +Increment the lower inode's iversion for IMA to be able to
> recognize
> >      >> +changes to the file.
> >      >> +
> >      >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto:
> stefanb@linux.ibm.com>>
> >      >> +---
> >      >> + fs/overlayfs/file.c | 3 +++
> >      >> + 1 file changed, 3 insertions(+)
> >      >> +
> >      >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
> >      >> +index 6011f955436b..1dfe5e7bfe1c 100644
> >      >> +--- a/fs/overlayfs/file.c
> >      >> ++++ b/fs/overlayfs/file.c
> >      >> +@@ -13,6 +13,7 @@
> >      >> + #include <linux/security.h>
> >      >> + #include <linux/mm.h>
> >      >> + #include <linux/fs.h>
> >      >> ++#include <linux/iversion.h>
> >      >> + #include "overlayfs.h"
> >      >> +
> >      >> + struct ovl_aio_req {
> >      >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb
> *iocb, struct iov_iter *iter)
> >      >> +            if (ret != -EIOCBQUEUED)
> >      >> +                    ovl_aio_cleanup_handler(aio_req);
> >      >> +    }
> >      >> ++   if (ret > 0)
> >      >> ++           inode_maybe_inc_iversion(inode, false);
> >      >> + out:
> >      >> +    revert_creds(old_cred);
> >      >> + out_fdput:
> >      >> +--
> >      >> +2.34.1
> >      >> +
> >      >> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc
> b/meta-integrity/recipes-kernel/linux/linux_ima.inc
> >      >> index 0b6f530..9d48e5c 100644
> >      >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
> >      >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
> >      >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:"
> >      >>
> >      >>   SRC_URI += " \
> >      >>       ${@bb.utils.contains('DISTRO_FEATURES', 'ima',
> 'file://ima.scc', '', d)} \
> >      >> +    file://0001-ovl-Increment-iversion-upon-file-changes.patch \
> >      >>   "
> >      >>
> >      >>   do_configure() {
> >      >> --
> >      >> 2.34.1
> >      >>
> >      >
> >      >>
> >      >>
> >      >>
> >      >
> >
> >     -=-=-=-=-=-=-=-=-=-=-=-
> >     Links: You receive all messages sent to this group.
> >     View/Reply Online (#59807):
> https://lists.yoctoproject.org/g/yocto/message/59807 <
> https://lists.yoctoproject.org/g/yocto/message/59807>
> >     Mute This Topic: https://lists.yoctoproject.org/mt/98557297/5052612
> <https://lists.yoctoproject.org/mt/98557297/5052612>
> >     Group Owner: yocto+owner@lists.yoctoproject.org <mailto:
> yocto%2Bowner@lists.yoctoproject.org>
> >     Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub <
> https://lists.yoctoproject.org/g/yocto/unsub> [quaresma.jose@gmail.com
> <mailto:quaresma.jose@gmail.com>]
> >     -=-=-=-=-=-=-=-=-=-=-=-
> >
> >
> >
> > --
> > Best regards,
> >
> > José Quaresma
>
Stefan Berger May 9, 2023, 6:05 p.m. UTC | #9 
On 5/9/23 13:05, Jose Quaresma wrote:
> Stefan Berger <stefanb@ linux. ibm. com> escreveu no dia terça, 9/05/2023 à(s) 17: 21: On 5/9/23 10: 53, Jose Quaresma wrote: > Hi Stefan, > > Having this patch applied unconditionally to all kernels doesn't work and the patch
> ZjQcmQRYFpfptBannerStart
> This Message Is From an External Sender
> This message came from outside your organization.
> ZjQcmQRYFpfptBannerEnd
> 
> 
> Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>> escreveu no dia terça, 9/05/2023 à(s) 17:21:
> 
> 
> 
>     On 5/9/23 10:53, Jose Quaresma wrote:
>      > Hi Stefan,
>      >
>      > Having this patch applied unconditionally to all kernels doesn't work and the patch fails in many downstream kernels.
>      > I suggest reverting this one if no other solutions come up.
> 
>     Then let me drop this one. I just posted v2 of this series and can repost in v3 with this patch dropped and possibly
>     only have it applied in the OpenBMC project. I suppose my conclusion from OpenBMC, which currently works with a 6.1.15
>     kernel, that all other Yocto projects also now use a >= 6.1.15 kernel, was wrong?
> 
> 
> yup! is also my opinion.
> but after reverting this patch some other new issues comes up because the ima side effects changes
> so linux-firmware dont build any more.

Can you either point me to the changes or tell me how you build linux-firmware so that I can recreate the issue locally?

    Stefan

> 
> Jose
> 
> 
>           Stefan
> 
>      >
>      > Jose
>      >
>      > Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>> escreveu no dia sexta, 28/04/2023 à(s) 13:55:
>      >
>      >
>      >
>      >     On 4/28/23 08:48, Mikko Rapeli wrote:
>      >      > Hi,
>      >      >
>      >      > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote:
>      >      >> Add a temporary patch that resolves a file change notification issue
>      >      >> with overlayfs where IMA did not become aware of the file changes
>      >      >> since the 'lower' inode's i_version had not changed. The issue will be
>      >      >> resolved in later kernels with the following patch that builds on
>      >      >> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1:
>      >      >>
>      >      >> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459> <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459>>
>      >      >
>      >      > Would be nice to have Upstream-Status for each patch. I guess status
>      >      > would be Backport here.
>      >
>      >     It's quite possible that this series here https://lkml.org/lkml/2022/10/21/624 <https://lkml.org/lkml/2022/10/21/624>
>      >     (alone? <https://lkml.org/lkml/2022/10/21/624(alone <https://lkml.org/lkml/2022/10/21/624(alone>?>) would provide the infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8)
>      >     and have that referenced patch applied which isn't upstreamed so far, either.
>      >
>      >     For now this two-liner seemed simpler and resolves the issue. I understand the concern, though...
>      >
>      >            Stefan
>      >
>      >      >
>      >      > Cheers,
>      >      >
>      >      > -Mikko
>      >      >
>      >      >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>>
>      >      >> ---
>      >      >>   ...Increment-iversion-upon-file-changes.patch | 42 +++++++++++++++++++
>      >      >>   .../recipes-kernel/linux/linux_ima.inc        |  1 +
>      >      >>   2 files changed, 43 insertions(+)
>      >      >>   create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>      >      >>
>      >      >> diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>      >      >> new file mode 100644
>      >      >> index 0000000..d2b5c28
>      >      >> --- /dev/null
>      >      >> +++ b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>      >      >> @@ -0,0 +1,42 @@
>      >      >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001
>      >      >> +From: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>>
>      >      >> +Date: Thu, 6 Apr 2023 11:27:29 -0400
>      >      >> +Subject: [PATCH] ovl: Increment iversion upon file changes
>      >      >> +
>      >      >> +This is a temporary patch for kernels that do not implement
>      >      >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one:
>      >      >> +
>      >      >> +https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459> <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459>>
>      >      >> +
>      >      >> +Increment the lower inode's iversion for IMA to be able to recognize
>      >      >> +changes to the file.
>      >      >> +
>      >      >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>>
>      >      >> +---
>      >      >> + fs/overlayfs/file.c | 3 +++
>      >      >> + 1 file changed, 3 insertions(+)
>      >      >> +
>      >      >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
>      >      >> +index 6011f955436b..1dfe5e7bfe1c 100644
>      >      >> +--- a/fs/overlayfs/file.c
>      >      >> ++++ b/fs/overlayfs/file.c
>      >      >> +@@ -13,6 +13,7 @@
>      >      >> + #include <linux/security.h>
>      >      >> + #include <linux/mm.h>
>      >      >> + #include <linux/fs.h>
>      >      >> ++#include <linux/iversion.h>
>      >      >> + #include "overlayfs.h"
>      >      >> +
>      >      >> + struct ovl_aio_req {
>      >      >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter)
>      >      >> +            if (ret != -EIOCBQUEUED)
>      >      >> +                    ovl_aio_cleanup_handler(aio_req);
>      >      >> +    }
>      >      >> ++   if (ret > 0)
>      >      >> ++           inode_maybe_inc_iversion(inode, false);
>      >      >> + out:
>      >      >> +    revert_creds(old_cred);
>      >      >> + out_fdput:
>      >      >> +--
>      >      >> +2.34.1
>      >      >> +
>      >      >> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>      >      >> index 0b6f530..9d48e5c 100644
>      >      >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
>      >      >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>      >      >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:"
>      >      >>
>      >      >>   SRC_URI += " \
>      >      >>       ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \
>      >      >> +    file://0001-ovl-Increment-iversion-upon-file-changes.patch \
>      >      >>   "
>      >      >>
>      >      >>   do_configure() {
>      >      >> --
>      >      >> 2.34.1
>      >      >>
>      >      >
>      >      >>
>      >      >>
>      >      >>
>      >      >
>      >
>      >
>      >
>      >
>      >
>      > --
>      > Best regards,
>      >
>      > José Quaresma
> 
> 
> 
> -- 
> Best regards,
> 
> José Quaresma
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#59934): https://lists.yoctoproject.org/g/yocto/message/59934
> Mute This Topic: https://lists.yoctoproject.org/mt/98557297/1792208
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [stefanb@linux.ibm.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Jose Quaresma May 9, 2023, 6:13 p.m. UTC | #10 
Stefan Berger <stefanb@linux.ibm.com> escreveu no dia terça, 9/05/2023 à(s)
19:05:

>
>
> On 5/9/23 13:05, Jose Quaresma wrote:
> > Stefan Berger <stefanb@ linux. ibm. com> escreveu no dia terça,
> 9/05/2023 à(s) 17: 21: On 5/9/23 10: 53, Jose Quaresma wrote: > Hi Stefan,
> > > Having this patch applied unconditionally to all kernels doesn't work
> and the patch
> > ZjQcmQRYFpfptBannerStart
> > This Message Is From an External Sender
> > This message came from outside your organization.
> > ZjQcmQRYFpfptBannerEnd
> >
> >
> > Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>
> escreveu no dia terça, 9/05/2023 à(s) 17:21:
> >
> >
> >
> >     On 5/9/23 10:53, Jose Quaresma wrote:
> >      > Hi Stefan,
> >      >
> >      > Having this patch applied unconditionally to all kernels doesn't
> work and the patch fails in many downstream kernels.
> >      > I suggest reverting this one if no other solutions come up.
> >
> >     Then let me drop this one. I just posted v2 of this series and can
> repost in v3 with this patch dropped and possibly
> >     only have it applied in the OpenBMC project. I suppose my conclusion
> from OpenBMC, which currently works with a 6.1.15
> >     kernel, that all other Yocto projects also now use a >= 6.1.15
> kernel, was wrong?
> >
> >
> > yup! is also my opinion.
> > but after reverting this patch some other new issues comes up because
> the ima side effects changes
> > so linux-firmware dont build any more.
>
> Can you either point me to the changes or tell me how you build
> linux-firmware so that I can recreate the issue locally?
>

it's easy, just call the following:

bitbake linux-firmware


>
>     Stefan
>
> >
> > Jose
> >
> >
> >           Stefan
> >
> >      >
> >      > Jose
> >      >
> >      > Stefan Berger <stefanb@linux.ibm.com <mailto:
> stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto:
> stefanb@linux.ibm.com>>> escreveu no dia sexta, 28/04/2023 à(s) 13:55:
> >      >
> >      >
> >      >
> >      >     On 4/28/23 08:48, Mikko Rapeli wrote:
> >      >      > Hi,
> >      >      >
> >      >      > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger
> wrote:
> >      >      >> Add a temporary patch that resolves a file change
> notification issue
> >      >      >> with overlayfs where IMA did not become aware of the file
> changes
> >      >      >> since the 'lower' inode's i_version had not changed. The
> issue will be
> >      >      >> resolved in later kernels with the following patch that
> builds on
> >      >      >> newly addd feature (support for STATX_CHANGE_COOKIE) in
> v6.3-rc1:
> >      >      >>
> >      >      >>
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> <
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459>
> <
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> <
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> >>
> >      >      >
> >      >      > Would be nice to have Upstream-Status for each patch. I
> guess status
> >      >      > would be Backport here.
> >      >
> >      >     It's quite possible that this series here
> https://lkml.org/lkml/2022/10/21/624 <https://lkml.org/lkml/2022/10/21/624
> >
> >      >     (alone? <https://lkml.org/lkml/2022/10/21/624(alone <
> https://lkml.org/lkml/2022/10/21/624(alone>?>) would provide the
> infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8)
> >      >     and have that referenced patch applied which isn't upstreamed
> so far, either.
> >      >
> >      >     For now this two-liner seemed simpler and resolves the issue.
> I understand the concern, though...
> >      >
> >      >            Stefan
> >      >
> >      >      >
> >      >      > Cheers,
> >      >      >
> >      >      > -Mikko
> >      >      >
> >      >      >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com
> <mailto:stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto:
> stefanb@linux.ibm.com>>>
> >      >      >> ---
> >      >      >>   ...Increment-iversion-upon-file-changes.patch | 42
> +++++++++++++++++++
> >      >      >>   .../recipes-kernel/linux/linux_ima.inc        |  1 +
> >      >      >>   2 files changed, 43 insertions(+)
> >      >      >>   create mode 100644
> meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> >      >      >>
> >      >      >> diff --git
> a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> >      >      >> new file mode 100644
> >      >      >> index 0000000..d2b5c28
> >      >      >> --- /dev/null
> >      >      >> +++
> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> >      >      >> @@ -0,0 +1,42 @@
> >      >      >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17
> 00:00:00 2001
> >      >      >> +From: Stefan Berger <stefanb@linux.ibm.com <mailto:
> stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto:
> stefanb@linux.ibm.com>>>
> >      >      >> +Date: Thu, 6 Apr 2023 11:27:29 -0400
> >      >      >> +Subject: [PATCH] ovl: Increment iversion upon file
> changes
> >      >      >> +
> >      >      >> +This is a temporary patch for kernels that do not
> implement
> >      >      >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will
> be this one:
> >      >      >> +
> >      >      >> +
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> <
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459>
> <
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> <
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> >>
> >      >      >> +
> >      >      >> +Increment the lower inode's iversion for IMA to be able
> to recognize
> >      >      >> +changes to the file.
> >      >      >> +
> >      >      >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com
> <mailto:stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto:
> stefanb@linux.ibm.com>>>
> >      >      >> +---
> >      >      >> + fs/overlayfs/file.c | 3 +++
> >      >      >> + 1 file changed, 3 insertions(+)
> >      >      >> +
> >      >      >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
> >      >      >> +index 6011f955436b..1dfe5e7bfe1c 100644
> >      >      >> +--- a/fs/overlayfs/file.c
> >      >      >> ++++ b/fs/overlayfs/file.c
> >      >      >> +@@ -13,6 +13,7 @@
> >      >      >> + #include <linux/security.h>
> >      >      >> + #include <linux/mm.h>
> >      >      >> + #include <linux/fs.h>
> >      >      >> ++#include <linux/iversion.h>
> >      >      >> + #include "overlayfs.h"
> >      >      >> +
> >      >      >> + struct ovl_aio_req {
> >      >      >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct
> kiocb *iocb, struct iov_iter *iter)
> >      >      >> +            if (ret != -EIOCBQUEUED)
> >      >      >> +                    ovl_aio_cleanup_handler(aio_req);
> >      >      >> +    }
> >      >      >> ++   if (ret > 0)
> >      >      >> ++           inode_maybe_inc_iversion(inode, false);
> >      >      >> + out:
> >      >      >> +    revert_creds(old_cred);
> >      >      >> + out_fdput:
> >      >      >> +--
> >      >      >> +2.34.1
> >      >      >> +
> >      >      >> diff --git
> a/meta-integrity/recipes-kernel/linux/linux_ima.inc
> b/meta-integrity/recipes-kernel/linux/linux_ima.inc
> >      >      >> index 0b6f530..9d48e5c 100644
> >      >      >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
> >      >      >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
> >      >      >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append :=
> "${THISDIR}/linux:"
> >      >      >>
> >      >      >>   SRC_URI += " \
> >      >      >>       ${@bb.utils.contains('DISTRO_FEATURES', 'ima',
> 'file://ima.scc', '', d)} \
> >      >      >> +
> file://0001-ovl-Increment-iversion-upon-file-changes.patch \
> >      >      >>   "
> >      >      >>
> >      >      >>   do_configure() {
> >      >      >> --
> >      >      >> 2.34.1
> >      >      >>
> >      >      >
> >      >      >>
> >      >      >>
> >      >      >>
> >      >      >
> >      >
> >      >
> >      >
> >      >
> >      >
> >      > --
> >      > Best regards,
> >      >
> >      > José Quaresma
> >
> >
> >
> > --
> > Best regards,
> >
> > José Quaresma
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#59934):
> https://lists.yoctoproject.org/g/yocto/message/59934
> > Mute This Topic: https://lists.yoctoproject.org/mt/98557297/1792208
> > Group Owner: yocto+owner@lists.yoctoproject.org
> > Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [
> stefanb@linux.ibm.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>
Stefan Berger May 9, 2023, 6:37 p.m. UTC | #11 
On 5/9/23 14:13, Jose Quaresma wrote:

> 
> it's easy, just call the following:
> 
> bitbake linux-firmware
> 
> 

How do you initialize this environment?


If I was to do this from meta-security I get this here:

$ bitbake linux-firmware
ERROR: The BBPATH variable is not set and bitbake did not find a conf/bblayers.conf file in the expected location.
Maybe you accidentally invoked bitbake from the wrong directory?


    Stefan
diff mbox series

Patch

diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
new file mode 100644
index 0000000..d2b5c28
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
@@ -0,0 +1,42 @@ 
+From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Thu, 6 Apr 2023 11:27:29 -0400
+Subject: [PATCH] ovl: Increment iversion upon file changes
+
+This is a temporary patch for kernels that do not implement
+STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one:
+
+https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
+
+Increment the lower inode's iversion for IMA to be able to recognize
+changes to the file.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ fs/overlayfs/file.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
+index 6011f955436b..1dfe5e7bfe1c 100644
+--- a/fs/overlayfs/file.c
++++ b/fs/overlayfs/file.c
+@@ -13,6 +13,7 @@
+ #include <linux/security.h>
+ #include <linux/mm.h>
+ #include <linux/fs.h>
++#include <linux/iversion.h>
+ #include "overlayfs.h"
+ 
+ struct ovl_aio_req {
+@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter)
+ 		if (ret != -EIOCBQUEUED)
+ 			ovl_aio_cleanup_handler(aio_req);
+ 	}
++	if (ret > 0)
++		inode_maybe_inc_iversion(inode, false);
+ out:
+ 	revert_creds(old_cred);
+ out_fdput:
+-- 
+2.34.1
+
diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc
index 0b6f530..9d48e5c 100644
--- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
+++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
@@ -2,6 +2,7 @@  FILESEXTRAPATHS:append := "${THISDIR}/linux:"
 
 SRC_URI += " \
     ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \
+    file://0001-ovl-Increment-iversion-upon-file-changes.patch \
 "
 
 do_configure() {