From: Roberto Sassu <roberto.sassu@huawei.com>
To: Mimi Zohar <zohar@linux.ibm.com>, "mjg59@google.com" <mjg59@google.com>
Cc: "linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Casey Schaufler <casey@schaufler-ca.com>
Subject: RE: [PATCH v4 04/11] ima: Move ima_reset_appraise_flags() call to post hooks
Date: Mon, 3 May 2021 07:41:41 +0000 [thread overview]
Message-ID: <8c851eec3ae44d209c5b8e45dd67266e@huawei.com> (raw)
In-Reply-To: <960b27ad2fa7e85a999f0ad600ba07546dc39f2b.camel@linux.ibm.com>
> From: Mimi Zohar [mailto:zohar@linux.ibm.com]
> Sent: Friday, April 30, 2021 8:00 PM
> On Wed, 2021-04-28 at 15:35 +0000, Roberto Sassu wrote:
> > > From: Roberto Sassu
> > > Sent: Friday, March 5, 2021 4:19 PM
> > > ima_inode_setxattr() and ima_inode_removexattr() hooks are called
> before
> > > an
> > > operation is performed. Thus, ima_reset_appraise_flags() should not be
> > > called there, as flags might be unnecessarily reset if the operation is
> > > denied.
> > >
> > > This patch introduces the post hooks ima_inode_post_setxattr() and
> > > ima_inode_post_removexattr(), and adds the call to
> > > ima_reset_appraise_flags() in the new functions.
> > >
> > > Cc: Casey Schaufler <casey@schaufler-ca.com>
> > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > > ---
> > > fs/xattr.c | 2 ++
> > > include/linux/ima.h | 18 ++++++++++++++++++
> > > security/integrity/ima/ima_appraise.c | 25 ++++++++++++++++++++++---
> > > security/security.c | 1 +
> > > 4 files changed, 43 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/fs/xattr.c b/fs/xattr.c
> > > index b3444e06cded..81847f132d26 100644
> > > --- a/fs/xattr.c
> > > +++ b/fs/xattr.c
> > > @@ -16,6 +16,7 @@
> > > #include <linux/namei.h>
> > > #include <linux/security.h>
> > > #include <linux/evm.h>
> > > +#include <linux/ima.h>
> > > #include <linux/syscalls.h>
> > > #include <linux/export.h>
> > > #include <linux/fsnotify.h>
> > > @@ -502,6 +503,7 @@ __vfs_removexattr_locked(struct
> user_namespace
> > > *mnt_userns,
> > >
> > > if (!error) {
> > > fsnotify_xattr(dentry);
> > > + ima_inode_post_removexattr(dentry, name);
> > > evm_inode_post_removexattr(dentry, name);
> > > }
> > >
> > > diff --git a/include/linux/ima.h b/include/linux/ima.h
> > > index 61d5723ec303..5e059da43857 100644
> > > --- a/include/linux/ima.h
> > > +++ b/include/linux/ima.h
> > > @@ -171,7 +171,13 @@ extern void ima_inode_post_setattr(struct
> > > user_namespace *mnt_userns,
> > > struct dentry *dentry);
> > > extern int ima_inode_setxattr(struct dentry *dentry, const char
> *xattr_name,
> > > const void *xattr_value, size_t xattr_value_len);
> > > +extern void ima_inode_post_setxattr(struct dentry *dentry,
> > > + const char *xattr_name,
> > > + const void *xattr_value,
> > > + size_t xattr_value_len);
> > > extern int ima_inode_removexattr(struct dentry *dentry, const char
> > > *xattr_name);
> > > +extern void ima_inode_post_removexattr(struct dentry *dentry,
> > > + const char *xattr_name);
> > > #else
> > > static inline bool is_ima_appraise_enabled(void)
> > > {
> > > @@ -192,11 +198,23 @@ static inline int ima_inode_setxattr(struct
> dentry
> > > *dentry,
> > > return 0;
> > > }
> > >
> > > +static inline void ima_inode_post_setxattr(struct dentry *dentry,
> > > + const char *xattr_name,
> > > + const void *xattr_value,
> > > + size_t xattr_value_len)
> > > +{
> > > +}
> > > +
> > > static inline int ima_inode_removexattr(struct dentry *dentry,
> > > const char *xattr_name)
> > > {
> > > return 0;
> > > }
> > > +
> > > +static inline void ima_inode_post_removexattr(struct dentry *dentry,
> > > + const char *xattr_name)
> > > +{
> > > +}
> > > #endif /* CONFIG_IMA_APPRAISE */
> > >
> > > #if defined(CONFIG_IMA_APPRAISE) &&
> > > defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
> > > diff --git a/security/integrity/ima/ima_appraise.c
> > > b/security/integrity/ima/ima_appraise.c
> > > index 565e33ff19d0..1f029e4c8d7f 100644
> > > --- a/security/integrity/ima/ima_appraise.c
> > > +++ b/security/integrity/ima/ima_appraise.c
> > > @@ -577,21 +577,40 @@ int ima_inode_setxattr(struct dentry *dentry,
> const
> > > char *xattr_name,
> > > if (result == 1) {
> > > if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
> > > return -EINVAL;
> > > - ima_reset_appraise_flags(d_backing_inode(dentry),
> > > - xvalue->type == EVM_IMA_XATTR_DIGSIG);
> > > result = 0;
> > > }
> > > return result;
> > > }
> > >
> > > +void ima_inode_post_setxattr(struct dentry *dentry, const char
> > > *xattr_name,
> > > + const void *xattr_value, size_t xattr_value_len)
> > > +{
> > > + const struct evm_ima_xattr_data *xvalue = xattr_value;
> > > + int result;
> > > +
> > > + result = ima_protect_xattr(dentry, xattr_name, xattr_value,
> > > + xattr_value_len);
> > > + if (result == 1)
> > > + ima_reset_appraise_flags(d_backing_inode(dentry),
> >
> > I found an issue in this patch.
> >
> > Moving ima_reset_appraise_flags() to the post hook causes this
> > function to be executed also when __vfs_setxattr_noperm() is
> > called.
> >
> > The problem is that at the end of a write IMA calls
> > ima_collect_measurement() to recalculate the file digest and
> > update security.ima. ima_collect_measurement() sets
> > IMA_COLLECTED.
> >
> > However, after that __vfs_setxattr_noperm() causes
> > IMA_COLLECTED to be reset, and to unnecessarily recalculate
> > the file digest. This wouldn't happen if ima_reset_appraise_flags()
> > is in the pre hook.
> >
> > I solved by replacing:
> > iint->flags &= ~IMA_DONE_MASK;
> > with:
> > iint->flags &= ~(IMA_DONE_MASK & ~IMA_COLLECTED);
> >
> > just when the IMA_CHANGE_XATTR bit is set. It should
> > not be a problem since setting an xattr does not influence
> > the file content.
> >
> > Mimi, what do you think?
>
> Thank yor for noticing this.
>
> Without seeing the actual change it is hard to tell. The only place
> that "iint->flags &= ~IMA_DONE_MASK;" occurs is in neither of the above
> functions, but in process_measurement(). There it is a part of a
> compound "if" statement. Perhaps it would be ok to change it for just
> the IMA_CHANGE_XATTR test, but definitely not for the other conditions,
> like untrusted mounts.
Ok. Should I include this change in this patch or in a separate patch?
> Moving ima_reset_appraise_flags() to the post hooks is to minimize
> resetting the flags unnecessarily. That is really a performance fix,
> not something necessary for making the EVM portable & immutable
> signatures more usable. As much as possible, please minimize the
> changes to facilitate review and testing.
Ok.
Thanks
Roberto
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli
> thanks,
>
> Mimi
next prev parent reply other threads:[~2021-05-03 7:41 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-05 15:19 [PATCH v4 00/11] evm: Improve usability of portable signatures Roberto Sassu
2021-03-05 15:19 ` [PATCH v4 01/11] evm: Execute evm_inode_init_security() only when an HMAC key is loaded Roberto Sassu
2021-03-05 15:19 ` [PATCH v4 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal Roberto Sassu
2021-03-05 15:19 ` [PATCH v4 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded Roberto Sassu
2021-03-05 15:19 ` [PATCH v4 04/11] ima: Move ima_reset_appraise_flags() call to post hooks Roberto Sassu
2021-03-05 17:30 ` Casey Schaufler
2021-04-26 19:49 ` Mimi Zohar
2021-04-27 9:25 ` Roberto Sassu
2021-04-27 15:34 ` Mimi Zohar
2021-04-27 15:57 ` Roberto Sassu
2021-04-27 16:03 ` Mimi Zohar
2021-04-27 16:39 ` Casey Schaufler
2021-04-27 16:48 ` Mimi Zohar
2021-04-28 7:48 ` Roberto Sassu
2021-04-28 15:35 ` Roberto Sassu
2021-04-30 18:00 ` Mimi Zohar
2021-05-03 7:41 ` Roberto Sassu [this message]
2021-05-03 13:21 ` Mimi Zohar
2021-03-05 15:19 ` [PATCH v4 05/11] evm: Introduce evm_status_revalidate() Roberto Sassu
2021-03-05 15:19 ` [PATCH v4 06/11] evm: Ignore INTEGRITY_NOLABEL/INTEGRITY_NOXATTRS if conditions are safe Roberto Sassu
2021-03-05 15:19 ` [PATCH v4 07/11] evm: Allow xattr/attr operations for portable signatures Roberto Sassu
2021-03-05 15:19 ` [PATCH v4 08/11] evm: Allow setxattr() and setattr() for unmodified metadata Roberto Sassu
2021-03-25 10:53 ` Roberto Sassu
2021-03-25 12:13 ` Christian Brauner
2021-03-25 12:21 ` Christian Brauner
2021-03-25 12:40 ` Roberto Sassu
2021-03-25 12:39 ` Roberto Sassu
2021-03-05 15:19 ` [PATCH v4 09/11] ima: Allow imasig requirement to be satisfied by EVM portable signatures Roberto Sassu
2021-03-05 15:19 ` [PATCH v4 10/11] ima: Introduce template field evmsig and write to field sig as fallback Roberto Sassu
2021-03-05 15:19 ` [PATCH v4 11/11] ima: Don't remove security.ima if file must not be appraised Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8c851eec3ae44d209c5b8e45dd67266e@huawei.com \
--to=roberto.sassu@huawei.com \
--cc=casey@schaufler-ca.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@google.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.