From nobody Tue Feb 10 01:19:12 2026
Received: from mail-oi1-f175.google.com (mail-oi1-f175.google.com
 [209.85.167.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id DD96638A9D3
	for <linux-kernel@vger.kernel.org>; Fri, 30 Jan 2026 22:40:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.167.175
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1769812807; cv=none;
 b=qPp+/2VZXModTXOMYcnihAfyOW0h5MBIP3rn52Z+W9juB2bXjA7AZj9ELTFZewojodsorJaVFKxcccjKUqFmzbK2ChZC0sABMEyTEsZuNw7dZnAHS67jzDgqchilEr6EzmleivON1zcpOXF/OcUugd+0B6Ca5e3kl0pluclGfLM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1769812807; c=relaxed/simple;
	bh=T8hGXOolp0MlCuJ57QwSaSxARrwYXxeLvTHI4xeBR5g=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=kULJPMmDcEKbptddWrbpU7VubVz2UZ3iHBvYw0bRX3aLKi+Sp1PezxD0HvDjBqgk3X1iL70TgftzbV2ZwA+ufG7ocUQYaNokIbLB9QCPw7VkVGhHesak/+oSqbuZDKj8del+rdyImG/Tck915YECYQtsSEgwIrz3MX2+qDXVp6M=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=cloudflare.com;
 spf=pass smtp.mailfrom=cloudflare.com;
 dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com
 header.b=c2K5XRYE; arc=none smtp.client-ip=209.85.167.175
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=cloudflare.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=cloudflare.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com
 header.b="c2K5XRYE"
Received: by mail-oi1-f175.google.com with SMTP id
 5614622812f47-45f0b597eb4so1646164b6e.2
        for <linux-kernel@vger.kernel.org>;
 Fri, 30 Jan 2026 14:40:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=cloudflare.com; s=google09082023; t=1769812803; x=1770417603;
 darn=vger.kernel.org;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=+pB22RqagYfWUxCP3mEi/hOUp+RDnbPOdedWJTMM5zA=;
        b=c2K5XRYEtFKWBih7qS+E20oZ58uIZMWf3xYe5Gm2CCvp+jred4nl0vKUoK7/awXWbf
         h7spSb8m8+PTxFf2LPgu33GS88AZJi5W4bDosH4vOfkgHkLhSYZY/hX3GEEW3Ty+refT
         96SQFajmWTK2hE0gYZ60egV9yeuGZ4Fic5S4K1duiWXEKeCnMokRYiT2y4NsMnwNJHh9
         gRglk2/JKZ/DSat9FVQa+7wBxDAjfutdKan+d34eIREj5m+nJr780xUHfWHZwwQPkf32
         0DMh0UEwiO9Fqntf04DOYFSc6FEXojtx1jrkswCrG53zcnHVr3wCTZuRoBNguqQhkwLJ
         N0WA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769812803; x=1770417603;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=+pB22RqagYfWUxCP3mEi/hOUp+RDnbPOdedWJTMM5zA=;
        b=sRjoj+fuCVd1Q23TdAxv5zTRX1+q7dzVJlAoleJZY1upEczt6zKES4VPhLTl4AwQKT
         Vk3VS6Nt/dXYleB4Crw72D3h4XC9AyEA3wzT9ZexRezVOkqJ/sQ+YmSzALqOgPPufQ/R
         ACiDOf86qPaeiwYhlXJMqsgrb5TsozTkmPPxIeKfQjA2/9HHaFlFyJyRc2QC1MazbdJ5
         tLH4pvsKjLKBQ1zQqgkDW/w1tLGjld8oD4Ed23UpQ7cWscwezMRFHDKYwaYiA+PVXIuV
         UvV8jdTZ1OCJvmEQ3kOFsrghL9g1xEnMpLNcxVq4y4r4FtPbu+j2SGhAXlIRyeKN+veI
         3/iA==
X-Gm-Message-State: AOJu0YwaSM4RR1U89J2E28Lc46aqhoDCt6wPO3UQFCzyOgUN/pnZCOaH
	X9bg5vRFjDfzBBN9/vE3weCgWAIZFhuh8aLYc8ZM2/j75JTS8wrIE0/0vEJtplPj0J0=
X-Gm-Gg: AZuq6aK9Y2DsTvcEhoSAp4UXtnixy6sNVHr0mYqu+D1HYYcZdi93z0xgEUPTH5m28+c
	8UDFuk/y3G5DE8VdH6zFRH4onbGlapmFc4Ze8nXJnD4+uxScPNaOire1TQRW0oNm5mQNK2EF+2q
	e15JMW/wakk0GLKk6muJCmRK7hEI0HFwt/2anaz+hpHbJWwfByRQzWFV7BRe5L6SttkYYZmXSZF
	IwaNkIUdAogeIbg/uKxzq9Ov5jwSCBCeRuk3QZSdM2jMAqtd2FuvGXszMpR7s+ULYG1pMDMwqFA
	MVks0pqeRZNcfSAzX/ro1fLnOtdAVaHcQbCqYB29nE6M9I+co/PitLbKSYlbLRyb4vPZVV2yduq
	n/2ScCPlo7Tc3KZWh3+HghKqeoMUM+KC8ocshePBspJD936npdSx/eAoPIm5zoaQ3v0giL7M=
X-Received: by 2002:a05:6808:a604:10b0:45f:3592:407 with SMTP id
 5614622812f47-45f35920ba8mr1660637b6e.50.1769812802725;
        Fri, 30 Jan 2026 14:40:02 -0800 (PST)
Received: from [127.0.1.1] ([2a09:bac5:947d:4e6::7d:80])
        by smtp.gmail.com with ESMTPSA id
 5614622812f47-45f08f20e38sm5400250b6e.10.2026.01.30.14.40.01
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 30 Jan 2026 14:40:02 -0800 (PST)
From: Frederick Lawler <fred@cloudflare.com>
Date: Fri, 30 Jan 2026 16:39:56 -0600
Subject: [PATCH v5 3/3] ima: Use kstat.ctime as a fallback change detection
 for stacked fs
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260130-xfs-ima-fixup-v5-3-57e84ea91712@cloudflare.com>
References: <20260130-xfs-ima-fixup-v5-0-57e84ea91712@cloudflare.com>
In-Reply-To: <20260130-xfs-ima-fixup-v5-0-57e84ea91712@cloudflare.com>
To: Mimi Zohar <zohar@linux.ibm.com>,
 Roberto Sassu <roberto.sassu@huawei.com>,
 Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
 Eric Snowberg <eric.snowberg@oracle.com>, Paul Moore <paul@paul-moore.com>,
 James Morris <jmorris@namei.org>, "Serge E. Hallyn" <serge@hallyn.com>,
 "Darrick J. Wong" <djwong@kernel.org>,
 Christian Brauner <brauner@kernel.org>, Josef Bacik <josef@toxicpanda.com>,
 Jeff Layton <jlayton@kernel.org>
Cc: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
 linux-security-module@vger.kernel.org, kernel-team@cloudflare.com,
 Frederick Lawler <fred@cloudflare.com>
X-Mailer: b4 0.14.2
X-Developer-Signature: v=1; a=openpgp-sha256; l=4229; i=fred@cloudflare.com;
 h=from:subject:message-id; bh=T8hGXOolp0MlCuJ57QwSaSxARrwYXxeLvTHI4xeBR5g=;
 b=owEBbQKS/ZANAwAKAasltHYDktNtAcsmYgBpfTM90njNeLmeSYJx0vJMg7Uxm7oWturIoalSA
 EGSx8/4zk+JAjMEAAEKAB0WIQTLNBqMVmu1PHvjOe2rJbR2A5LTbQUCaX0zPQAKCRCrJbR2A5LT
 bTZ0D/4/sr85rwcj53ELmM18BnzS4sRSHO68A3Uu/OswNtfrYNsDL401x9OP9H83vNTcwc+DO/k
 fAcuXEaNki3PfyKYixVeCBUI36y5m9/wtYKfoj9t0jArWQsWDZFhYI8FfDdfEznfNggZktwSVTx
 9ZlaL0S3yRC1WYhLRswZ+ow8yBjm3R6UEy6SnZrikM4dVw9AwXLCCAzdgC3bEsbYBjm19Yt2mIg
 vVHx271R2Rx5MKPF8/yUBp3pSuEa2EsYJHLB/pzVzarq84a3g2ozS3jzaeiYrS6CwzDloQZ8WwK
 osRDYBmVfkIzc3QsnbZeCclpfKX8RvGKUOpgPTArJ8roFDWGggOHawXlcU+tEAvs6pPkNH0Dbmg
 z4g0itAiDBmmgRiV14azZkX0TquPyKYwHzIiL/PlhjkIwMbewACOfwlkWY+FE93xF0cvWUgKU1w
 SjxYWK8RReLh0gH7uoSVcD6KdYAx/GG2BJElHBgW5AlTiPnK3Kkxl7fGIFINzpUCAQB1weNYR7Z
 /kUhPVhGcRA9KtL2biMmTLwc14ORtpGMibMg2Lz8O+3Iu500TyhO5zMFIfjT+CHvHhW5K5VgSTc
 ar3yVpOAjLAQjHW3bfMJlaBFFeKH1Tw2h7L+aTWAPk47z6NcQggMbHW8adMXVkuxi5dw29grqhd
 L3ZPpCHRhrmAg3g==
X-Developer-Key: i=fred@cloudflare.com; a=openpgp;
 fpr=CB341A8C566BB53C7BE339EDAB25B4760392D36D

IMA performs unnecessary measurements on files in stacked file systems
that do not set kstat.change_cookie to an inode's i_version.

For example: TMPFS (upper) is stacked onto XFS (lower).
Actions files result in re-measurement because commit 1cf7e834a6fb
("xfs: switch to multigrain timestamps") introduced multigrain
timestamps into XFS which changed the kstat.change_cookie semantics
to no longer supply an i_version to compare against in
integrity_inode_attributes_changed(). Once the inode is in TMPFS,
the change detection behavior operates as normal because TMPFS updates
kstat.change_cookie to the i_version.

Instead, fall back onto a ctime comparison. This also gives file systems
that do not support i_version an opportunity avoid the same behavior,
as they're more likely to have ctime support.

timespec64_to_ns() is chosen to avoid adding extra storage to
integrity_inode_attributes by leveraging the existing version field.

Link: https://lore.kernel.org/all/aTspr4_h9IU4EyrR@CMGLRV3
Fixes: 1cf7e834a6fb ("xfs: switch to multigrain timestamps")
Suggested-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Frederick Lawler <fred@cloudflare.com>
---
 include/linux/integrity.h         |  6 +++++-
 security/integrity/ima/ima_api.c  | 11 ++++++++---
 security/integrity/ima/ima_main.c |  2 +-
 3 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/include/linux/integrity.h b/include/linux/integrity.h
index 382c783f0fa3ae4a938cdf9559291ba1903a378e..ec2c94907f417c4a71ecce29ac7=
9edac9bc2c6f8 100644
--- a/include/linux/integrity.h
+++ b/include/linux/integrity.h
@@ -10,6 +10,7 @@
 #include <linux/fs.h>
 #include <linux/iversion.h>
 #include <linux/kernel.h>
+#include <linux/time64.h>
=20
 enum integrity_status {
 	INTEGRITY_PASS =3D 0,
@@ -58,6 +59,9 @@ integrity_inode_attrs_stat_changed
 	if (stat->result_mask & STATX_CHANGE_COOKIE)
 		return stat->change_cookie !=3D attrs->version;
=20
+	if (stat->result_mask & STATX_CTIME)
+		return timespec64_to_ns(&stat->ctime) !=3D (s64)attrs->version;
+
 	return true;
 }
=20
@@ -84,7 +88,7 @@ integrity_inode_attrs_changed(const struct integrity_inod=
e_attributes *attrs,
 	 * only for IMA if vfs_getattr_nosec() fails.
 	 */
 	if (!file || vfs_getattr_nosec(&file->f_path, &stat,
-				       STATX_CHANGE_COOKIE,
+				       STATX_CHANGE_COOKIE | STATX_CTIME,
 				       AT_STATX_SYNC_AS_STAT))
 		return !IS_I_VERSION(inode) ||
 		       !inode_eq_iversion(inode, attrs->version);
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_=
api.c
index c35ea613c9f8d404ba4886e3b736c3bab29d1668..e47d6281febc15a0ac1bd2ea1d2=
8fea4d0cd5c58 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -272,10 +272,15 @@ int ima_collect_measurement(struct ima_iint_cache *ii=
nt, struct file *file,
 	 * to an initial measurement/appraisal/audit, but was modified to
 	 * assume the file changed.
 	 */
-	result =3D vfs_getattr_nosec(&file->f_path, &stat, STATX_CHANGE_COOKIE,
+	result =3D vfs_getattr_nosec(&file->f_path, &stat,
+				   STATX_CHANGE_COOKIE | STATX_CTIME,
 				   AT_STATX_SYNC_AS_STAT);
-	if (!result && (stat.result_mask & STATX_CHANGE_COOKIE))
-		i_version =3D stat.change_cookie;
+	if (!result) {
+		if (stat.result_mask & STATX_CHANGE_COOKIE)
+			i_version =3D stat.change_cookie;
+		else if (stat.result_mask & STATX_CTIME)
+			i_version =3D timespec64_to_ns(&stat.ctime);
+	}
 	hash.hdr.algo =3D algo;
 	hash.hdr.length =3D hash_digest_size[algo];
=20
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima=
_main.c
index 8cb17c9d446caaa5a98f5ec8f027c17ba7babca8..776db158b0bd8a0d053729ac0cc=
15af8b6020a98 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -199,7 +199,7 @@ static void ima_check_last_writer(struct ima_iint_cache=
 *iint,
 					    &iint->atomic_flags);
 		if ((iint->flags & IMA_NEW_FILE) ||
 		    vfs_getattr_nosec(&file->f_path, &stat,
-				      STATX_CHANGE_COOKIE,
+				      STATX_CHANGE_COOKIE | STATX_CTIME,
 				      AT_STATX_SYNC_AS_STAT) ||
 		    integrity_inode_attrs_stat_changed(&iint->real_inode,
 						       &stat)) {

--=20
2.43.0