From: Mimi Zohar Date: Mon, 2 Feb 2026 16:23:47 +0000 (-0500) Subject: ima: fallback to using i_version to detect file change X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=01baa39cf55fbbd0078f28a215157ecd185a5176;p=thirdparty%2Fkernel%2Flinux.git ima: fallback to using i_version to detect file change Commit db1d1e8b9867 ("IMA: use vfs_getattr_nosec to get the i_version") replaced detecting file change based on i_version with STATX_CHANGE_COOKIE. On filesystems without STATX_CHANGE_COOKIE enabled, revert back to detecting file change based on i_version. On filesystems which do not support either, assume the file changed. Reported-by: Frederick Lawler Fixes: db1d1e8b9867 ("IMA: use vfs_getattr_nosec to get the i_version") Cc: stable@vger.kernel.org Reviewed-by: Frederick Lawler Tested-by: Frederick Lawler Signed-off-by: Mimi Zohar --- diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index d15becc8c640f..0916f24f005f2 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -269,15 +269,20 @@ int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file, goto out; /* - * Detecting file change is based on i_version. On filesystems - * which do not support i_version, support was originally limited - * to an initial measurement/appraisal/audit, but was modified to - * assume the file changed. + * Detect file change based on STATX_CHANGE_COOKIE, when supported, + * and fallback to detecting file change based on i_version. + * + * On filesystems which did not support i_version, support was + * originally limited to an initial measurement/appraisal/audit, + * but was later modified to assume the file changed. */ result = vfs_getattr_nosec(&file->f_path, &stat, STATX_CHANGE_COOKIE, AT_STATX_SYNC_AS_STAT); if (!result && (stat.result_mask & STATX_CHANGE_COOKIE)) i_version = stat.change_cookie; + else if (IS_I_VERSION(real_inode)) + i_version = inode_peek_iversion(real_inode); + hash.hdr.algo = algo; hash.hdr.length = hash_digest_size[algo]; diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 5808b52c84264..5cea53fc36dff 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -180,6 +180,29 @@ static void ima_rdwr_violation_check(struct file *file, "invalid_pcr", "open_writers"); } +/* + * Detect file change based on STATX_CHANGE_COOKIE, when supported, and + * fallback to detecting file change based on i_version. On filesystems + * which do not support either, assume the file changed. + */ +static bool ima_detect_file_change(struct ima_iint_cache *iint, + struct inode *inode, struct file *file) +{ + struct kstat stat; + int result; + + result = vfs_getattr_nosec(&file->f_path, &stat, STATX_CHANGE_COOKIE, + AT_STATX_SYNC_AS_STAT); + + if (!result && stat.result_mask & STATX_CHANGE_COOKIE) + return stat.change_cookie != iint->real_inode.version; + + if (IS_I_VERSION(inode)) + return !inode_eq_iversion(inode, iint->real_inode.version); + + return true; +} + static void ima_check_last_writer(struct ima_iint_cache *iint, struct inode *inode, struct file *file) { @@ -191,18 +214,13 @@ static void ima_check_last_writer(struct ima_iint_cache *iint, mutex_lock(&iint->mutex); if (atomic_read(&inode->i_writecount) == 1) { - struct kstat stat; - clear_bit(IMA_EMITTED_OPENWRITERS, &iint->atomic_flags); update = test_and_clear_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); - if ((iint->flags & IMA_NEW_FILE) || - vfs_getattr_nosec(&file->f_path, &stat, - STATX_CHANGE_COOKIE, - AT_STATX_SYNC_AS_STAT) || - !(stat.result_mask & STATX_CHANGE_COOKIE) || - stat.change_cookie != iint->real_inode.version) { + + if (iint->flags & IMA_NEW_FILE || + ima_detect_file_change(iint, inode, file)) { iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE); iint->measured_pcrs = 0; if (update)