From: Christian Brauner <brauner@kernel.org>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-fsdevel@vger.kernel.org, Seth Forshee <sforshee@kernel.org>,
Christoph Hellwig <hch@lst.de>, Al Viro <viro@zeniv.linux.org.uk>,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
Paul Moore <paul@paul-moore.com>
Subject: Re: [PATCH v4 13/30] evm: add post set acl hook
Date: Fri, 30 Sep 2022 10:44:38 +0200 [thread overview]
Message-ID: <20220930084438.4wuyeyogdthiwmmn@wittgenstein> (raw)
In-Reply-To: <9b71392a68d9441697fcca12b30e26578ed7423f.camel@linux.ibm.com>
On Thu, Sep 29, 2022 at 09:44:45PM -0400, Mimi Zohar wrote:
> Hi Christian,
>
> On Thu, 2022-09-29 at 17:30 +0200, Christian Brauner wrote:
> > The security_inode_post_setxattr() hook is used by security modules to
> > update their own security.* xattrs. Consequently none of the security
> > modules operate on posix acls. So we don't need an additional security
> > hook when post setting posix acls.
> >
> > However, the integrity subsystem wants to be informed about posix acl
> > changes and specifically evm to update their hashes when the xattrs
> > change.
>
> ^... to be informed about posix acl changes in order to reset the EVM
> status flag.
Substituted.
>
> > The callchain for evm_inode_post_setxattr() is:
> >
> > -> evm_inode_post_setxattr()
>
> Resets the EVM status flag for both EVM signatures and HMAC.
>
> > -> evm_update_evmxattr()
>
> evm_update_evmxattr() is only called for "security.evm", not acls.
I've added both comments but note that I'm explaining this in the
paragraph below as well.
>
> > -> evm_calc_hmac()
> > -> evm_calc_hmac_or_hash()
> >
> > and evm_cacl_hmac_or_hash() walks the global list of protected xattr
> > names evm_config_xattrnames. This global list can be modified via
> > /sys/security/integrity/evm/evm_xattrs. The write to "evm_xattrs" is
> > restricted to security.* xattrs and the default xattrs in
> > evm_config_xattrnames only contains security.* xattrs as well.
> >
> > So the actual value for posix acls is currently completely irrelevant
> > for evm during evm_inode_post_setxattr() and frankly it should stay that
> > way in the future to not cause the vfs any more headaches. But if the
> > actual posix acl values matter then evm shouldn't operate on the binary
> > void blob and try to hack around in the uapi struct anyway. Instead it
> > should then in the future add a dedicated hook which takes a struct
> > posix_acl argument passing the posix acls in the proper vfs format.
> >
> > For now it is sufficient to make evm_inode_post_set_acl() a wrapper
> > around evm_inode_post_setxattr() not passing any actual values down.
> > This will still cause the hashes to be updated as before.
>
> ^This will cause the EVM status flag to be reset.
Substituted.
next prev parent reply other threads:[~2022-09-30 8:44 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-29 15:30 [PATCH v4 00/30] acl: add vfs posix acl api Christian Brauner
2022-09-29 15:30 ` [PATCH v4 01/30] orangefs: rework posix acl handling when creating new filesystem objects Christian Brauner
2022-09-29 15:30 ` [PATCH v4 02/30] fs: pass dentry to set acl method Christian Brauner
2022-09-29 15:30 ` [PATCH v4 03/30] fs: rename current get " Christian Brauner
2022-09-29 15:30 ` [PATCH v4 04/30] fs: add new " Christian Brauner
2022-09-30 8:53 ` Miklos Szeredi
2022-09-30 9:09 ` Christian Brauner
2022-09-30 9:43 ` Miklos Szeredi
2022-09-30 10:05 ` Christian Brauner
2022-09-30 12:24 ` Miklos Szeredi
2022-09-30 12:49 ` Christian Brauner
2022-09-30 13:01 ` Miklos Szeredi
2022-09-30 13:51 ` Christian Brauner
2022-10-04 19:53 ` Steve French
2022-10-05 7:15 ` Christian Brauner
2022-10-06 6:31 ` Miklos Szeredi
2022-10-06 7:40 ` Christian Brauner
2022-10-06 9:07 ` Miklos Szeredi
2022-09-29 15:30 ` [PATCH v4 05/30] cifs: implement " Christian Brauner
2022-09-29 15:30 ` [PATCH v4 06/30] cifs: implement set " Christian Brauner
2022-09-29 15:30 ` [PATCH v4 07/30] 9p: implement get " Christian Brauner
2022-09-29 15:30 ` [PATCH v4 08/30] 9p: implement set " Christian Brauner
2022-09-29 15:30 ` [PATCH v4 09/30] security: add get, remove and set acl hook Christian Brauner
2022-09-29 19:15 ` Paul Moore
2022-09-29 15:30 ` [PATCH v4 10/30] selinux: implement get, set and remove " Christian Brauner
2022-09-29 19:15 ` Paul Moore
2022-09-30 8:38 ` Christian Brauner
2022-09-29 15:30 ` [PATCH v4 11/30] smack: " Christian Brauner
2022-09-29 19:15 ` Paul Moore
2022-09-30 8:40 ` Christian Brauner
2022-09-29 15:30 ` [PATCH v4 12/30] integrity: implement get and set " Christian Brauner
2022-09-29 19:14 ` Paul Moore
2022-09-30 3:19 ` Mimi Zohar
2022-09-30 14:11 ` Paul Moore
2022-09-30 8:11 ` Christian Brauner
2022-09-29 15:30 ` [PATCH v4 13/30] evm: add post " Christian Brauner
2022-09-30 1:44 ` Mimi Zohar
2022-09-30 2:51 ` Mimi Zohar
2022-09-30 8:44 ` Christian Brauner [this message]
2022-09-30 11:48 ` Mimi Zohar
2022-10-04 7:04 ` Christian Brauner
2022-09-29 15:30 ` [PATCH v4 14/30] internal: add may_write_xattr() Christian Brauner
2022-09-29 15:30 ` [PATCH v4 15/30] acl: add vfs_set_acl() Christian Brauner
2022-09-29 15:30 ` [PATCH v4 16/30] acl: add vfs_get_acl() Christian Brauner
2022-09-29 15:30 ` [PATCH v4 17/30] acl: add vfs_remove_acl() Christian Brauner
2022-09-29 15:30 ` [PATCH v4 18/30] ksmbd: use vfs_remove_acl() Christian Brauner
2022-09-29 15:30 ` [PATCH v4 19/30] ecryptfs: implement get acl method Christian Brauner
2022-09-29 15:30 ` [PATCH v4 20/30] ecryptfs: implement set " Christian Brauner
2022-09-29 15:30 ` [PATCH v4 21/30] ovl: implement get " Christian Brauner
2022-09-29 15:30 ` [PATCH v4 22/30] ovl: implement set " Christian Brauner
2022-10-06 12:39 ` Miklos Szeredi
2022-09-29 15:30 ` [PATCH v4 23/30] ovl: use posix acl api Christian Brauner
2022-10-06 12:50 ` Miklos Szeredi
2022-09-29 15:30 ` [PATCH v4 24/30] xattr: " Christian Brauner
2022-09-29 15:30 ` [PATCH v4 25/30] evm: remove evm_xattr_acl_change() Christian Brauner
2022-09-29 15:30 ` [PATCH v4 26/30] ecryptfs: use stub posix acl handlers Christian Brauner
2022-09-29 15:30 ` [PATCH v4 27/30] ovl: " Christian Brauner
2022-09-29 15:30 ` [PATCH v4 28/30] cifs: " Christian Brauner
2022-09-29 15:30 ` [PATCH v4 29/30] 9p: " Christian Brauner
2022-09-29 15:30 ` [PATCH v4 30/30] acl: remove a slew of now unused helpers Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220930084438.4wuyeyogdthiwmmn@wittgenstein \
--to=brauner@kernel.org \
--cc=hch@lst.de \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sforshee@kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.