git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Alexander Larsson <alexl@redhat.com>
	Wed, 21 Jun 2023 08:44:27 +0000 (10:44 +0200)
committer	Amir Goldstein <amir73il@gmail.com>
	Sat, 12 Aug 2023 16:02:38 +0000 (19:02 +0300)
commit	184996e92e86c4a4224dc4aaee75b2ccd04b6e78
tree	6867b80b2e237b63d04e5cf97d0222513c69af96	tree \| snapshot
parent	bf07089081a0ea18da4a103b9d813ffae3c2f6d8	commit \| diff

ovl: Validate verity xattr when resolving lowerdata

The new digest field in the metacopy xattr is used during lookup to
record whether the header contained a digest in the OVL_HAS_DIGEST
flags.

When accessing file data the first time, if OVL_HAS_DIGEST is set, we
reload the metadata and check that the source lowerdata inode matches
the specified digest in it (according to the enabled verity
options). If the verity check passes we store this info in the inode
flags as OVL_VERIFIED_DIGEST, so that we can avoid doing it again if
the inode remains in memory.

The verification is done in ovl_maybe_validate_verity() which needs to
be called in the same places as ovl_maybe_lookup_lowerdata(), so there
is a new ovl_verify_lowerdata() helper that calls these in the right
order, and all current callers of ovl_maybe_lookup_lowerdata() are
changed to call it instead.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Amir Goldstein <amir73il@gmail.com>

fs/overlayfs/copy_up.c		diff \| blob \| blame \| history
fs/overlayfs/file.c		diff \| blob \| blame \| history
fs/overlayfs/namei.c		diff \| blob \| blame \| history
fs/overlayfs/overlayfs.h		diff \| blob \| blame \| history
fs/overlayfs/super.c		diff \| blob \| blame \| history
fs/overlayfs/util.c		diff \| blob \| blame \| history