From nobody Sun Feb 8 17:04:13 2026 Received: from mail-oi1-f182.google.com (mail-oi1-f182.google.com [209.85.167.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 388493559F2 for ; Fri, 30 Jan 2026 22:40:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769812802; cv=none; b=ta3hPVtyr8OiO+hYvBaFkmmMbzUTETDrwIxoYlsxxug9ji8GE/K48rq5jlHM/c6xcd96u2RaJxNk4yvSyU0zE/h8s2ANpkyI/wYJq9IRYqGSbuXzulao4oSBU7XEwMpzd+yI3IsUZy7P5ibrIIBuKAQhazwRGbrlLEhZZrG4DFE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769812802; c=relaxed/simple; bh=E44D0I52YoGh+U5fwPkQ5hEITkBV+sZorQSKCWfktmc=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=rS1XcvSqEmRrZPGERAzT8q8c4zbqJL2aQLFEup+8m21HS0nuvO1bROnzbGwASwXTc8WFbJv7CZ7PbaOhO8fFSs+wDHcZNYQ22kfx9cQ6MBwAaGkpxSP+njIz8RR1yojaE2IHqLmTwV2nE1Ii0emuXmZdrVbs3PhTQ9FMKZSKJUM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=YOYIrEYL; arc=none smtp.client-ip=209.85.167.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="YOYIrEYL" Received: by mail-oi1-f182.google.com with SMTP id 5614622812f47-45eabce608dso1928055b6e.2 for ; Fri, 30 Jan 2026 14:40:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1769812800; x=1770417600; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=B8RijGQOfqPIwUgELzLaWOi9LUBjEfJ1NBk4LJfVwV0=; b=YOYIrEYLSK+OwBtj0/SiziEZrvSggpPapTl/A8IcZiuCMzAzbck2AezXIrkI6FZBni ElhmNNdFgJoQlhbbQvakPZrGqbswkRRZgmj/kX2P8CwxPIjTQ1jMldHGbOYmTjFGB4Oo 4B6QOuRWPZuEYSOsOCG5VrSfMqk3uieU1I22eedsFsqEPGkMPAaZ6oSwqWxMllmD1s/z 89SFm2uZZzjfbG94BsyqfCuMmNvUnvFxEOYD4qUciUSbKf8v810yYVkxzkUUi/QMd/5L qaT0SePIda0ReozNvrgksypvVBDbZdgr8dKrOhvs6knDvxmqcjQGVgNFdbz363CsyFfE LItA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769812800; x=1770417600; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=B8RijGQOfqPIwUgELzLaWOi9LUBjEfJ1NBk4LJfVwV0=; b=AA5408RyRWfA3cHoLy6GmmLmnIHRyBFzxFNAvEv7OBFzpKMrkE+AM3LMJHnvJm3TSi ovCro565n9ZGAEfmeUg/xiF4shUs8pfeSSkclWQCJRBSe8yIgfM4mDYvLJdHbpFI5yY/ YSZGU4UhpbOnYAq8VJ72CGtoMaoiLM7/VLxi/wG2D8wmB5XKuY4IjYEvyXALsj0DPC4v Q08dY3Hp0CtNJ6VJGURpbixRQf2vVKGYKBrU4Rhx3WX05xc0OxRccSUWG2Qw0zPMDBPR Vkkh+pBIYHxE4nwPLngYEKCVZVwnYikrpUwyPxWNNwPuoWzRyWiH7iUZBLF3G/iU+LUJ rFfA== X-Gm-Message-State: AOJu0YxOyxzjbHIwYMwfKxirLBS7cEUdkQoXpDLVcFfTRMG/K4n402Te zuB1rLP2vHqIDBbdHd5KQZfigqJSQed7EHCkyMVzsg273ePgJWN35y3DQhhnkSPYt6o= X-Gm-Gg: AZuq6aI8kB+hrg6jCrCpxQMJyxiqGhJzSZ+sEnTqiOg1RVOWUvvpD0kacT6oqRwOU/X fbANR/Of9Q9qmkgws+78t3WqIWUKXCTNodD+cgjBCrIfIjGxcpsoB2peX8OKsHIZO39cb9pWyI5 DgqcPMwNmdL9APjt7LPVDggXMhHrD+XR84+/00TsbfJ1wQg2ffsPFYuFkl0jMmOphbl03/KaxZC Ks9PZZ+Aq9pFmFBKHhId8UhSdnDoyMqpCDJWN2+VsQpp444lxTpc5adIJt5QPIsP/TpN1OXpq1A HHeq5MGB/NvaXgcTIdvxFiB7wCkDYZ5afLzLDygJzcJN9H3VnE5yxWPhlPTn9aBXkNem+8wQ0Yu 4+hnQeCJzIzb4s9e+A9NFP2mZgAAaU0+8UCDNFYjhszC9HJKW82t4OdsU8G4qkRXqZaiaUEw= X-Received: by 2002:a05:6808:11c5:b0:45e:d128:4d13 with SMTP id 5614622812f47-45f34d19956mr2522871b6e.49.1769812800117; Fri, 30 Jan 2026 14:40:00 -0800 (PST) Received: from [127.0.1.1] ([2a09:bac5:947d:4e6::7d:80]) by smtp.gmail.com with ESMTPSA id 5614622812f47-45f08f20e38sm5400250b6e.10.2026.01.30.14.39.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 30 Jan 2026 14:39:59 -0800 (PST) From: Frederick Lawler Date: Fri, 30 Jan 2026 16:39:54 -0600 Subject: [PATCH v5 1/3] ima: Unify vfs_getattr_nosec() stat comparisons under helper function Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260130-xfs-ima-fixup-v5-1-57e84ea91712@cloudflare.com> References: <20260130-xfs-ima-fixup-v5-0-57e84ea91712@cloudflare.com> In-Reply-To: <20260130-xfs-ima-fixup-v5-0-57e84ea91712@cloudflare.com> To: Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Paul Moore , James Morris , "Serge E. Hallyn" , "Darrick J. Wong" , Christian Brauner , Josef Bacik , Jeff Layton Cc: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, kernel-team@cloudflare.com, Frederick Lawler X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=1964; i=fred@cloudflare.com; h=from:subject:message-id; bh=E44D0I52YoGh+U5fwPkQ5hEITkBV+sZorQSKCWfktmc=; b=owEBbQKS/ZANAwAKAasltHYDktNtAcsmYgBpfTM8lcduKiPT2v6M91vJwSr90uuaDvHoZheB/ F9zKNZBePSJAjMEAAEKAB0WIQTLNBqMVmu1PHvjOe2rJbR2A5LTbQUCaX0zPAAKCRCrJbR2A5LT bSSED/sEVZhlYPnUNKkoKX0RoLgIVqQ1qaf8NUtXQvOWWKw3yRufG8Z20gSOt4Xhmuw7C2alPNL 8LL5hiT5WrMjuOL/PPX9AXqaBDEpCLhUbPQoR5g3ar7lBvOnEMBdKO1tUgqE1HpTcBwT52wkgl5 9Yt/I3KjWimJf50jNOhlS10Bb4a+UoIbTPTfRPuJ6mTZwi9ov7IQL2cCzdbf8RURF9OGyyzTjX1 V/UEI8hRwljjwU3c2LVKhsy1NSrSrp23skSVtGe+M5+j2ZB2B8WKAT8SGNErBHbZJ84r4Ocv8KM 3XKaIl1iQPA7ZZgQDWovxs4FYKAiaNT0mKCcgLCyzh3kzg/Vq1VvnsZpeD9VeUGjv6/25Mr2/U7 CZmohozREPihYLOHpFLXB7u+dG8/E8io5+G5L0QMug943Yx+V44L0SZBk7z1iQXILscb5uM/EJf wqOTQBOHmmWCvT5Q0JDsX2CRPnojAl8evdpQguUM7jXZWWFXqEML0j3iVuIfhbF2LxqrWfkXjtj NO1oHSoGBCBMjiGqE/mW0NdZ4SRf//jyH80O8phnCO9SK192ynXXiHqufKIEPqvTunKPjPa+Va0 MkR4lwI1FM2+fk0lRExqD4H/pudElvIJBnUswN6ARQdZpBwXbvJy1xlZYUfcGUFWcNEgzdWQr8Z 2c14LUU0n1dZppA== X-Developer-Key: i=fred@cloudflare.com; a=openpgp; fpr=CB341A8C566BB53C7BE339EDAB25B4760392D36D The logic for comparing kstat.change_cookie against IMA version is hard to read. Abstract comparison logic into a new function integrity_inode_attrs_stat_changed(). No functional change intended. Signed-off-by: Frederick Lawler --- include/linux/integrity.h | 11 +++++++++++ security/integrity/ima/ima_main.c | 4 ++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/include/linux/integrity.h b/include/linux/integrity.h index f5842372359be5341b6870a43b92e695e8fc78af..beb9ab19fa6257e79266b58bcb5= f55b0c5445828 100644 --- a/include/linux/integrity.h +++ b/include/linux/integrity.h @@ -49,6 +49,17 @@ integrity_inode_attrs_store(struct integrity_inode_attri= butes *attrs, attrs->ino =3D inode->i_ino; } =20 +/* Compares stat attributes for change detection. */ +static inline bool +integrity_inode_attrs_stat_changed +(const struct integrity_inode_attributes *attrs, const struct kstat *stat) +{ + if (stat->result_mask & STATX_CHANGE_COOKIE) + return stat->change_cookie !=3D attrs->version; + + return true; +} + /* * On stacked filesystems detect whether the inode or its content has chan= ged. */ diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima= _main.c index 5770cf691912aa912fc65280c59f5baac35dd725..6570ad10887b9ea1172c78274cf= 62482350e87ff 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -201,8 +201,8 @@ static void ima_check_last_writer(struct ima_iint_cache= *iint, vfs_getattr_nosec(&file->f_path, &stat, STATX_CHANGE_COOKIE, AT_STATX_SYNC_AS_STAT) || - !(stat.result_mask & STATX_CHANGE_COOKIE) || - stat.change_cookie !=3D iint->real_inode.version) { + integrity_inode_attrs_stat_changed(&iint->real_inode, + &stat)) { iint->flags &=3D ~(IMA_DONE_MASK | IMA_NEW_FILE); iint->measured_pcrs =3D 0; if (update) --=20 2.43.0 From nobody Sun Feb 8 17:04:13 2026 Received: from mail-oi1-f171.google.com (mail-oi1-f171.google.com [209.85.167.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BDB3638A9C0 for ; Fri, 30 Jan 2026 22:40:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769812804; cv=none; b=Nh3JgZR39n+2j7KF9DMkCRrgyeI97S+T99jCf4Jiandh3BRItREBbcsNTpY49KWVeM/g5zQlt11qLtT/8nJ8sKElT0TR8WQ1XsPyHSbnmHlxUi8QAXlamlEn8dB1JI3dG3uNepgpFzJODKA/PsLbuMYDKW2HZFqUk6UeTctNYTI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769812804; c=relaxed/simple; bh=z6Lb6+ePLVA8CXO/fQsgr/T3R5dJYxJxOz7/MekKJTg=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=O5RZIxHA9T2Swhs3g7ohmyuSkd09m9sO5kYE1RcIbpXjQ99DF0cQVlObPeJQnIeD5t2jj31eWkCvFu1NXYMt0QVT4iNKzp3YYm4EV/cpcoQOMgMVXDhbeWuoyxQt1v2D1n8gBLkaX08CaC/MUDtSb2qkVgdzDev+XfCg7nGaZ3w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=PwSiCF3t; arc=none smtp.client-ip=209.85.167.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="PwSiCF3t" Received: by mail-oi1-f171.google.com with SMTP id 5614622812f47-45c7a71ba20so1077139b6e.2 for ; Fri, 30 Jan 2026 14:40:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1769812801; x=1770417601; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=rU19TJuUpJsA3wTKDBviJ3u+aESdBzfWv1RhaMcQ8es=; b=PwSiCF3tykJ1mGz3PPdxd8c+Bo5lKfdjTA/UpkhSgy5qLZQfHejHhbY+sgiXO7WUT6 oaaGAKEtkrEUv3okyFlKHsEcyN8AIxK/IQXbUpu6mVH+k+I8cAL1RC4I4AsAZCJ0gSuk e9OL2VD+KhsUW/VCMNhdAttfzk0xE6COvJL1MRHboIWLyJtatopw7jYJgZ3pNWxoB9Fp symvWZ7badmDQ+xFdQF71lTT0IWixss4UfeGNme6r5J9s1zs0TmBurA/niuFypLrFI/v t36BV5poUwEE/JGA80pgBBonhlP52vk1KAFaeBTVT4UMUD+snEf4M37VIr4hAGR4uZTH dH2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769812801; x=1770417601; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=rU19TJuUpJsA3wTKDBviJ3u+aESdBzfWv1RhaMcQ8es=; b=Umriv6l14mro4JxLQptCJo+9lpzQ+z3/DY6wG35OXetU38r+ZAWoLRfgNbKhCi+r+O Qfz3fjkUBCNwH30yrMlrv+nxMU1xn63DR0DC532cMF+QGrhbfibbsDASHtI/0oTV3n8u d5Z8KCKkQ9jjojLiiXWcbCJzrcf4tuYejAKLR74O8mQi2smF8gCDrePn7SGwGH1yQIEq pFjvyCQ1UMXr3Td3+GrrgDY6Z3IpLAM73jOwGM6OGpTseTLH3nc5bFJdndgFjJU0Gt30 gMJiiZd0tO00RML8vwufnBsNx0iRkiDCuq128GC02qcE+i1rprvYge/0cijfShERTN4L hFRA== X-Gm-Message-State: AOJu0YzbZh4usKojlo37YHlFPJaRFOST59z9n2tzjks0TaKGG2mysnX3 KiRrG5Af6Bhfw5Si6L1Q742RgtLMN+8E+kljnPruNWNMgF2omKgd25DthjLrxkXAR2A= X-Gm-Gg: AZuq6aLzhOkrSQR/TUFVk3vRFvTpmcsqVVVJ45tpxly7aREsizDrIU9ZJwaQ2LZhZPA HnXgsWB/qPowbvGAiR1UNcJ1cwnH377FMHESVSjgtgmWAgvajPWWnMcjDqf24JnqSxLh/ISk+g5 S+QlqFMFy0cC1P3XZFP4gqZonhXHUnCbxGvNJoxoxuaMguM3MQNWkXPfuuaBdhNxxqUyWHcRKwg AEO0QJKEFotXIvR885Kj7eAz1LLLFARL8D+T5VBM/BsZyyV43nuKXUlmCmkPA50JkMiSXgSF4j4 jHmNgVMvzPY6znlcpd+LEu9Y27Pr74oJ1I1zfWNaU1V10rQTOzuFshcsSCaNoidmbgpHsiPVfOt JovkaizW1VEYg3Gijdc+AnB+ncxRiCE1MHiHCiRiTSTWuQhgxHbKGtC/XJ59EnaNQumTMtSY= X-Received: by 2002:a05:6808:1b0c:b0:455:db31:a680 with SMTP id 5614622812f47-45f34d8b8e1mr2058357b6e.63.1769812801483; Fri, 30 Jan 2026 14:40:01 -0800 (PST) Received: from [127.0.1.1] ([2a09:bac5:947d:4e6::7d:80]) by smtp.gmail.com with ESMTPSA id 5614622812f47-45f08f20e38sm5400250b6e.10.2026.01.30.14.40.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 30 Jan 2026 14:40:01 -0800 (PST) From: Frederick Lawler Date: Fri, 30 Jan 2026 16:39:55 -0600 Subject: [PATCH v5 2/3] ima: Make integrity_inode_attrs_changed() call into vfs Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260130-xfs-ima-fixup-v5-2-57e84ea91712@cloudflare.com> References: <20260130-xfs-ima-fixup-v5-0-57e84ea91712@cloudflare.com> In-Reply-To: <20260130-xfs-ima-fixup-v5-0-57e84ea91712@cloudflare.com> To: Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Paul Moore , James Morris , "Serge E. Hallyn" , "Darrick J. Wong" , Christian Brauner , Josef Bacik , Jeff Layton Cc: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, kernel-team@cloudflare.com, Frederick Lawler X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=3748; i=fred@cloudflare.com; h=from:subject:message-id; bh=z6Lb6+ePLVA8CXO/fQsgr/T3R5dJYxJxOz7/MekKJTg=; b=owEBbQKS/ZANAwAKAasltHYDktNtAcsmYgBpfTM9Qr4QWn0gskmoTP3gBCkBf94vdfd8ocQEE 5Tb9icWCOWJAjMEAAEKAB0WIQTLNBqMVmu1PHvjOe2rJbR2A5LTbQUCaX0zPQAKCRCrJbR2A5LT bVSdEADsVtc/TtKM1xv5L5y29nfE2m8qig/KZsYSTP9RTmNF9dR3e6EIQhN82zcgahKUZfIUI67 zjZXk5EZOmIIU+LYlyS0bMZvMXY32bUqh4NW/eyeIFgzjhOlhFz7jh+X6WB48iIxTckn1MaBgLg juIBsHgrPE2/qnTDwwTopyYt3HiHrBpIYkOEwGo9yvHVcqfQI2xrsILzDhnB54Q+ZWFkmcIecXX 4ClNt6vbDS5SHF52bkB4VK5B2lbovTnKwFDRH0kBq3yHLgczTYjWSlMQmcnjgnV5p/bHj8RXUv6 bbyVVutlgd6sWbJ/KQLHObHimytWt80xDpmvkK4g8VmjJ5B5cpE2fPG3ydbTqETMKbcoFzZ6XYk 19OenOYNIM/gkuHu+8whUnfuojNmCPtyvWXaypurq4GBN1VTRqfHK8PJm3PXv+YGyGTwLDyvXod 9nx6uC/Whs9qrSTzWZPxCK324UzKtPsQ2xgnviEs2uX1D07KDByVTDtLy/njM4yL1txMpnwl/qu CXs0sNbCPd6/bEfIgCh++dtY25gjuuxohygL/0px3MtJVhRKWdBqQ0XjIukM73ZKrGpNenf7yk6 ztFL9z59XlWoqmke38etUnpsC2prGRFONWkRW4X8wBrhKy8H2i8RH4wrIxDZYcxmf2Ali3jD2kJ AKEwEVsSn4YHxqQ== X-Developer-Key: i=fred@cloudflare.com; a=openpgp; fpr=CB341A8C566BB53C7BE339EDAB25B4760392D36D Align integrity_inode_attrs_changed() to ima_check_last_writer()'s semantics when detecting changes. For IMA, stacked file systems that do not set kstat.change_cookie, integrity_inode_attrs_changed() will compare zero to zero, thus no change detected. This is not dissimilar to what ima_check_last_writer() does. No logical change intended for EVM. Signed-off-by: Frederick Lawler --- include/linux/integrity.h | 28 ++++++++++++++++++++++++---- security/integrity/evm/evm_main.c | 5 ++--- security/integrity/ima/ima_main.c | 5 ++--- 3 files changed, 28 insertions(+), 10 deletions(-) diff --git a/include/linux/integrity.h b/include/linux/integrity.h index beb9ab19fa6257e79266b58bcb5f55b0c5445828..382c783f0fa3ae4a938cdf95592= 91ba1903a378e 100644 --- a/include/linux/integrity.h +++ b/include/linux/integrity.h @@ -9,6 +9,7 @@ =20 #include #include +#include =20 enum integrity_status { INTEGRITY_PASS =3D 0, @@ -62,14 +63,33 @@ integrity_inode_attrs_stat_changed =20 /* * On stacked filesystems detect whether the inode or its content has chan= ged. + * + * Must be called in process context. */ static inline bool integrity_inode_attrs_changed(const struct integrity_inode_attributes *att= rs, - const struct inode *inode) + struct file *file, struct inode *inode) { - return (inode->i_sb->s_dev !=3D attrs->dev || - inode->i_ino !=3D attrs->ino || - !inode_eq_iversion(inode, attrs->version)); + struct kstat stat; + + might_sleep(); + + if (inode->i_sb->s_dev !=3D attrs->dev || inode->i_ino !=3D attrs->ino) + return true; + + /* + * EVM currently relies on backing inode i_version. While IS_I_VERSION + * is not a good indicator of i_version support, this still retains + * the logic such that a re-evaluation should still occur for EVM, and + * only for IMA if vfs_getattr_nosec() fails. + */ + if (!file || vfs_getattr_nosec(&file->f_path, &stat, + STATX_CHANGE_COOKIE, + AT_STATX_SYNC_AS_STAT)) + return !IS_I_VERSION(inode) || + !inode_eq_iversion(inode, attrs->version); + + return integrity_inode_attrs_stat_changed(attrs, &stat); } =20 =20 diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm= _main.c index 73d500a375cb37a54f295b0e1e93fd6e5d9ecddc..6a4e0e246005246d5700b1db590= c1759242b9cb6 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -752,9 +752,8 @@ bool evm_metadata_changed(struct inode *inode, struct i= node *metadata_inode) bool ret =3D false; =20 if (iint) { - ret =3D (!IS_I_VERSION(metadata_inode) || - integrity_inode_attrs_changed(&iint->metadata_inode, - metadata_inode)); + ret =3D integrity_inode_attrs_changed(&iint->metadata_inode, + NULL, metadata_inode); if (ret) iint->evm_status =3D INTEGRITY_UNKNOWN; } diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima= _main.c index 6570ad10887b9ea1172c78274cf62482350e87ff..8cb17c9d446caaa5a98f5ec8f02= 7c17ba7babca8 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -328,9 +328,8 @@ static int process_measurement(struct file *file, const= struct cred *cred, real_inode =3D d_real_inode(file_dentry(file)); if (real_inode !=3D inode && (action & IMA_DO_MASK) && (iint->flags & IMA_DONE_MASK)) { - if (!IS_I_VERSION(real_inode) || - integrity_inode_attrs_changed(&iint->real_inode, - real_inode)) { + if (integrity_inode_attrs_changed(&iint->real_inode, + file, real_inode)) { iint->flags &=3D ~IMA_DONE_MASK; iint->measured_pcrs =3D 0; } --=20 2.43.0 From nobody Sun Feb 8 17:04:13 2026 Received: from mail-oi1-f175.google.com (mail-oi1-f175.google.com [209.85.167.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DD96638A9D3 for ; Fri, 30 Jan 2026 22:40:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769812807; cv=none; b=qPp+/2VZXModTXOMYcnihAfyOW0h5MBIP3rn52Z+W9juB2bXjA7AZj9ELTFZewojodsorJaVFKxcccjKUqFmzbK2ChZC0sABMEyTEsZuNw7dZnAHS67jzDgqchilEr6EzmleivON1zcpOXF/OcUugd+0B6Ca5e3kl0pluclGfLM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769812807; c=relaxed/simple; bh=T8hGXOolp0MlCuJ57QwSaSxARrwYXxeLvTHI4xeBR5g=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=kULJPMmDcEKbptddWrbpU7VubVz2UZ3iHBvYw0bRX3aLKi+Sp1PezxD0HvDjBqgk3X1iL70TgftzbV2ZwA+ufG7ocUQYaNokIbLB9QCPw7VkVGhHesak/+oSqbuZDKj8del+rdyImG/Tck915YECYQtsSEgwIrz3MX2+qDXVp6M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=c2K5XRYE; arc=none smtp.client-ip=209.85.167.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="c2K5XRYE" Received: by mail-oi1-f175.google.com with SMTP id 5614622812f47-45f0b597eb4so1646164b6e.2 for ; Fri, 30 Jan 2026 14:40:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1769812803; x=1770417603; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=+pB22RqagYfWUxCP3mEi/hOUp+RDnbPOdedWJTMM5zA=; b=c2K5XRYEtFKWBih7qS+E20oZ58uIZMWf3xYe5Gm2CCvp+jred4nl0vKUoK7/awXWbf h7spSb8m8+PTxFf2LPgu33GS88AZJi5W4bDosH4vOfkgHkLhSYZY/hX3GEEW3Ty+refT 96SQFajmWTK2hE0gYZ60egV9yeuGZ4Fic5S4K1duiWXEKeCnMokRYiT2y4NsMnwNJHh9 gRglk2/JKZ/DSat9FVQa+7wBxDAjfutdKan+d34eIREj5m+nJr780xUHfWHZwwQPkf32 0DMh0UEwiO9Fqntf04DOYFSc6FEXojtx1jrkswCrG53zcnHVr3wCTZuRoBNguqQhkwLJ N0WA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769812803; x=1770417603; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=+pB22RqagYfWUxCP3mEi/hOUp+RDnbPOdedWJTMM5zA=; b=sRjoj+fuCVd1Q23TdAxv5zTRX1+q7dzVJlAoleJZY1upEczt6zKES4VPhLTl4AwQKT Vk3VS6Nt/dXYleB4Crw72D3h4XC9AyEA3wzT9ZexRezVOkqJ/sQ+YmSzALqOgPPufQ/R ACiDOf86qPaeiwYhlXJMqsgrb5TsozTkmPPxIeKfQjA2/9HHaFlFyJyRc2QC1MazbdJ5 tLH4pvsKjLKBQ1zQqgkDW/w1tLGjld8oD4Ed23UpQ7cWscwezMRFHDKYwaYiA+PVXIuV UvV8jdTZ1OCJvmEQ3kOFsrghL9g1xEnMpLNcxVq4y4r4FtPbu+j2SGhAXlIRyeKN+veI 3/iA== X-Gm-Message-State: AOJu0YwaSM4RR1U89J2E28Lc46aqhoDCt6wPO3UQFCzyOgUN/pnZCOaH X9bg5vRFjDfzBBN9/vE3weCgWAIZFhuh8aLYc8ZM2/j75JTS8wrIE0/0vEJtplPj0J0= X-Gm-Gg: AZuq6aK9Y2DsTvcEhoSAp4UXtnixy6sNVHr0mYqu+D1HYYcZdi93z0xgEUPTH5m28+c 8UDFuk/y3G5DE8VdH6zFRH4onbGlapmFc4Ze8nXJnD4+uxScPNaOire1TQRW0oNm5mQNK2EF+2q e15JMW/wakk0GLKk6muJCmRK7hEI0HFwt/2anaz+hpHbJWwfByRQzWFV7BRe5L6SttkYYZmXSZF IwaNkIUdAogeIbg/uKxzq9Ov5jwSCBCeRuk3QZSdM2jMAqtd2FuvGXszMpR7s+ULYG1pMDMwqFA MVks0pqeRZNcfSAzX/ro1fLnOtdAVaHcQbCqYB29nE6M9I+co/PitLbKSYlbLRyb4vPZVV2yduq n/2ScCPlo7Tc3KZWh3+HghKqeoMUM+KC8ocshePBspJD936npdSx/eAoPIm5zoaQ3v0giL7M= X-Received: by 2002:a05:6808:a604:10b0:45f:3592:407 with SMTP id 5614622812f47-45f35920ba8mr1660637b6e.50.1769812802725; Fri, 30 Jan 2026 14:40:02 -0800 (PST) Received: from [127.0.1.1] ([2a09:bac5:947d:4e6::7d:80]) by smtp.gmail.com with ESMTPSA id 5614622812f47-45f08f20e38sm5400250b6e.10.2026.01.30.14.40.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 30 Jan 2026 14:40:02 -0800 (PST) From: Frederick Lawler Date: Fri, 30 Jan 2026 16:39:56 -0600 Subject: [PATCH v5 3/3] ima: Use kstat.ctime as a fallback change detection for stacked fs Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260130-xfs-ima-fixup-v5-3-57e84ea91712@cloudflare.com> References: <20260130-xfs-ima-fixup-v5-0-57e84ea91712@cloudflare.com> In-Reply-To: <20260130-xfs-ima-fixup-v5-0-57e84ea91712@cloudflare.com> To: Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Paul Moore , James Morris , "Serge E. Hallyn" , "Darrick J. Wong" , Christian Brauner , Josef Bacik , Jeff Layton Cc: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, kernel-team@cloudflare.com, Frederick Lawler X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=4229; i=fred@cloudflare.com; h=from:subject:message-id; bh=T8hGXOolp0MlCuJ57QwSaSxARrwYXxeLvTHI4xeBR5g=; b=owEBbQKS/ZANAwAKAasltHYDktNtAcsmYgBpfTM90njNeLmeSYJx0vJMg7Uxm7oWturIoalSA EGSx8/4zk+JAjMEAAEKAB0WIQTLNBqMVmu1PHvjOe2rJbR2A5LTbQUCaX0zPQAKCRCrJbR2A5LT bTZ0D/4/sr85rwcj53ELmM18BnzS4sRSHO68A3Uu/OswNtfrYNsDL401x9OP9H83vNTcwc+DO/k fAcuXEaNki3PfyKYixVeCBUI36y5m9/wtYKfoj9t0jArWQsWDZFhYI8FfDdfEznfNggZktwSVTx 9ZlaL0S3yRC1WYhLRswZ+ow8yBjm3R6UEy6SnZrikM4dVw9AwXLCCAzdgC3bEsbYBjm19Yt2mIg vVHx271R2Rx5MKPF8/yUBp3pSuEa2EsYJHLB/pzVzarq84a3g2ozS3jzaeiYrS6CwzDloQZ8WwK osRDYBmVfkIzc3QsnbZeCclpfKX8RvGKUOpgPTArJ8roFDWGggOHawXlcU+tEAvs6pPkNH0Dbmg z4g0itAiDBmmgRiV14azZkX0TquPyKYwHzIiL/PlhjkIwMbewACOfwlkWY+FE93xF0cvWUgKU1w SjxYWK8RReLh0gH7uoSVcD6KdYAx/GG2BJElHBgW5AlTiPnK3Kkxl7fGIFINzpUCAQB1weNYR7Z /kUhPVhGcRA9KtL2biMmTLwc14ORtpGMibMg2Lz8O+3Iu500TyhO5zMFIfjT+CHvHhW5K5VgSTc ar3yVpOAjLAQjHW3bfMJlaBFFeKH1Tw2h7L+aTWAPk47z6NcQggMbHW8adMXVkuxi5dw29grqhd L3ZPpCHRhrmAg3g== X-Developer-Key: i=fred@cloudflare.com; a=openpgp; fpr=CB341A8C566BB53C7BE339EDAB25B4760392D36D IMA performs unnecessary measurements on files in stacked file systems that do not set kstat.change_cookie to an inode's i_version. For example: TMPFS (upper) is stacked onto XFS (lower). Actions files result in re-measurement because commit 1cf7e834a6fb ("xfs: switch to multigrain timestamps") introduced multigrain timestamps into XFS which changed the kstat.change_cookie semantics to no longer supply an i_version to compare against in integrity_inode_attributes_changed(). Once the inode is in TMPFS, the change detection behavior operates as normal because TMPFS updates kstat.change_cookie to the i_version. Instead, fall back onto a ctime comparison. This also gives file systems that do not support i_version an opportunity avoid the same behavior, as they're more likely to have ctime support. timespec64_to_ns() is chosen to avoid adding extra storage to integrity_inode_attributes by leveraging the existing version field. Link: https://lore.kernel.org/all/aTspr4_h9IU4EyrR@CMGLRV3 Fixes: 1cf7e834a6fb ("xfs: switch to multigrain timestamps") Suggested-by: Jeff Layton Signed-off-by: Frederick Lawler --- include/linux/integrity.h | 6 +++++- security/integrity/ima/ima_api.c | 11 ++++++++--- security/integrity/ima/ima_main.c | 2 +- 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/include/linux/integrity.h b/include/linux/integrity.h index 382c783f0fa3ae4a938cdf9559291ba1903a378e..ec2c94907f417c4a71ecce29ac7= 9edac9bc2c6f8 100644 --- a/include/linux/integrity.h +++ b/include/linux/integrity.h @@ -10,6 +10,7 @@ #include #include #include +#include =20 enum integrity_status { INTEGRITY_PASS =3D 0, @@ -58,6 +59,9 @@ integrity_inode_attrs_stat_changed if (stat->result_mask & STATX_CHANGE_COOKIE) return stat->change_cookie !=3D attrs->version; =20 + if (stat->result_mask & STATX_CTIME) + return timespec64_to_ns(&stat->ctime) !=3D (s64)attrs->version; + return true; } =20 @@ -84,7 +88,7 @@ integrity_inode_attrs_changed(const struct integrity_inod= e_attributes *attrs, * only for IMA if vfs_getattr_nosec() fails. */ if (!file || vfs_getattr_nosec(&file->f_path, &stat, - STATX_CHANGE_COOKIE, + STATX_CHANGE_COOKIE | STATX_CTIME, AT_STATX_SYNC_AS_STAT)) return !IS_I_VERSION(inode) || !inode_eq_iversion(inode, attrs->version); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_= api.c index c35ea613c9f8d404ba4886e3b736c3bab29d1668..e47d6281febc15a0ac1bd2ea1d2= 8fea4d0cd5c58 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -272,10 +272,15 @@ int ima_collect_measurement(struct ima_iint_cache *ii= nt, struct file *file, * to an initial measurement/appraisal/audit, but was modified to * assume the file changed. */ - result =3D vfs_getattr_nosec(&file->f_path, &stat, STATX_CHANGE_COOKIE, + result =3D vfs_getattr_nosec(&file->f_path, &stat, + STATX_CHANGE_COOKIE | STATX_CTIME, AT_STATX_SYNC_AS_STAT); - if (!result && (stat.result_mask & STATX_CHANGE_COOKIE)) - i_version =3D stat.change_cookie; + if (!result) { + if (stat.result_mask & STATX_CHANGE_COOKIE) + i_version =3D stat.change_cookie; + else if (stat.result_mask & STATX_CTIME) + i_version =3D timespec64_to_ns(&stat.ctime); + } hash.hdr.algo =3D algo; hash.hdr.length =3D hash_digest_size[algo]; =20 diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima= _main.c index 8cb17c9d446caaa5a98f5ec8f027c17ba7babca8..776db158b0bd8a0d053729ac0cc= 15af8b6020a98 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -199,7 +199,7 @@ static void ima_check_last_writer(struct ima_iint_cache= *iint, &iint->atomic_flags); if ((iint->flags & IMA_NEW_FILE) || vfs_getattr_nosec(&file->f_path, &stat, - STATX_CHANGE_COOKIE, + STATX_CHANGE_COOKIE | STATX_CTIME, AT_STATX_SYNC_AS_STAT) || integrity_inode_attrs_stat_changed(&iint->real_inode, &stat)) { --=20 2.43.0