linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Christian Brauner <brauner@kernel.org>
Cc: linux-fsdevel@vger.kernel.org, Seth Forshee <sforshee@kernel.org>,
	Christoph Hellwig <hch@lst.de>, Al Viro <viro@zeniv.linux.org.uk>,
	linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	Paul Moore <paul@paul-moore.com>
Subject: Re: [PATCH v4 13/30] evm: add post set acl hook
Date: Fri, 30 Sep 2022 07:48:31 -0400	[thread overview]
Message-ID: <e55cf916e5d5a50e293c7dc5b4f00802578eb6d6.camel@linux.ibm.com> (raw)
In-Reply-To: <20220930084438.4wuyeyogdthiwmmn@wittgenstein>

Hi Christian,

On Fri, 2022-09-30 at 10:44 +0200, Christian Brauner wrote:
> On Thu, Sep 29, 2022 at 09:44:45PM -0400, Mimi Zohar wrote: 
> > On Thu, 2022-09-29 at 17:30 +0200, Christian Brauner wrote:
> > > The security_inode_post_setxattr() hook is used by security modules to
> > > update their own security.* xattrs. Consequently none of the security
> > > modules operate on posix acls. So we don't need an additional security
> > > hook when post setting posix acls.
> > > 
> > > However, the integrity subsystem wants to be informed about posix acl
> > > changes and specifically evm to update their hashes when the xattrs
> > > change. 
> > 
> > ^... to be informed about posix acl changes in order to reset the EVM
> > status flag.
> 
> Substituted.
>  
> 
> > 
> > > The callchain for evm_inode_post_setxattr() is:
> > > 
> > > -> evm_inode_post_setxattr()
> > 
> > Resets the EVM status flag for both EVM signatures and HMAC.
> > 
> > >    -> evm_update_evmxattr()
> > 
> > evm_update_evmxattr() is only called for "security.evm", not acls.

After re-reading the code with fresh eyes, I made a mistake here. 
Please revert these suggestions.

> 
> I've added both comments but note that I'm explaining this in the
> paragraph below as well.

Agreed.

> 
> > 
> > >       -> evm_calc_hmac()
> > >          -> evm_calc_hmac_or_hash()
> > > 
> > > and evm_cacl_hmac_or_hash() walks the global list of protected xattr
> > > names evm_config_xattrnames. This global list can be modified via
> > > /sys/security/integrity/evm/evm_xattrs. The write to "evm_xattrs" is
> > > restricted to security.* xattrs and the default xattrs in
> > > evm_config_xattrnames only contains security.* xattrs as well.
> > > 
> > > So the actual value for posix acls is currently completely irrelevant
> > > for evm during evm_inode_post_setxattr() and frankly it should stay that
> > > way in the future to not cause the vfs any more headaches. But if the
> > > actual posix acl values matter then evm shouldn't operate on the binary
> > > void blob and try to hack around in the uapi struct anyway. Instead it
> > > should then in the future add a dedicated hook which takes a struct
> > > posix_acl argument passing the posix acls in the proper vfs format.
> > > 
> > > For now it is sufficient to make evm_inode_post_set_acl() a wrapper
> > > around evm_inode_post_setxattr() not passing any actual values down.
> > > This will still cause the hashes to be updated as before.
> > 
> > ^This will cause the EVM status flag to be reset.
> 
> Substituted.

My mistake.  Can you replace it with:

This will still cause the EVM status flag to be reset and EVM HMAC's to
be updated as before.

-- 
thanks,

Mimi


  reply	other threads:[~2022-09-30 11:51 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-29 15:30 [PATCH v4 00/30] acl: add vfs posix acl api Christian Brauner
2022-09-29 15:30 ` [PATCH v4 10/30] selinux: implement get, set and remove acl hook Christian Brauner
2022-09-29 19:15   ` Paul Moore
2022-09-30  8:38     ` Christian Brauner
2022-09-29 15:30 ` [PATCH v4 12/30] integrity: implement get and set " Christian Brauner
2022-09-29 19:14   ` Paul Moore
2022-09-30  3:19     ` Mimi Zohar
2022-09-30 14:11       ` Paul Moore
2022-09-30  8:11     ` Christian Brauner
2022-09-29 15:30 ` [PATCH v4 13/30] evm: add post " Christian Brauner
2022-09-30  1:44   ` Mimi Zohar
2022-09-30  2:51     ` Mimi Zohar
2022-09-30  8:44     ` Christian Brauner
2022-09-30 11:48       ` Mimi Zohar [this message]
2022-10-04  7:04         ` Christian Brauner
2022-09-29 15:30 ` [PATCH v4 15/30] acl: add vfs_set_acl() Christian Brauner
2022-09-29 15:30 ` [PATCH v4 25/30] evm: remove evm_xattr_acl_change() Christian Brauner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e55cf916e5d5a50e293c7dc5b4f00802578eb6d6.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=brauner@kernel.org \
    --cc=hch@lst.de \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=sforshee@kernel.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).