All of lore.kernel.org
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Roberto Sassu <roberto.sassu@huawei.com>, mjg59@google.com
Cc: linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, silviu.vlasceanu@huawei.com
Subject: Re: [PATCH v2 08/12] evm: Allow xattr/attr operations for portable signatures if check fails
Date: Thu, 17 Sep 2020 08:32:16 -0400	[thread overview]
Message-ID: <03e55547ff7c8725a73f60c460deb13a5b135531.camel@linux.ibm.com> (raw)
In-Reply-To: <20200904092643.20013-4-roberto.sassu@huawei.com>

Hi Roberto,

"if check fails" in the Subject line is unnecessary.

On Fri, 2020-09-04 at 11:26 +0200, Roberto Sassu wrote:
> If files with portable signatures are copied from one location to another
> or are extracted from an archive, verification can temporarily fail until
> all xattrs/attrs are set in the destination. Only portable signatures may
> be moved or copied from one file to another, as they don't depend on
> system-specific information such as the inode generation. Instead portable
> signatures must include security.ima.
> 
> Unlike other security.evm types, EVM portable signatures are also
> immutable. Thus, it wouldn't be a problem to allow xattr/attr operations
> when verification fails, as portable signatures will never be replaced with
> an HMAC on possibly corrupted xattrs/attrs.
> 
> This patch first introduces a new integrity status called
> INTEGRITY_FAIL_IMMUTABLE, that allows callers of
> evm_verify_current_integrity() to detect that a portable signature didn't
> pass verification and then adds an exception in evm_protect_xattr() and
> evm_inode_setattr() for this status and returns 0 instead of -EPERM.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

< snip >

> diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
> index 05be1ad3e6f3..a5dab1ac9374 100644
> --- a/security/integrity/evm/evm_main.c
> +++ b/security/integrity/evm/evm_main.c
> 
> @@ -358,6 +364,12 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
>  				    -EPERM, 0);
>  	}
>  out:
> +	/* Writing other xattrs is safe for portable signatures, as portable
> +	 * signatures are immutable and can never be updated.
> +	 */

This is the second time I'm seeing this comment format style.   Why? 
What changed?

Mimi

> +	if (evm_status == INTEGRITY_FAIL_IMMUTABLE)
> +		return 0;
> +
>  	if (evm_status != INTEGRITY_PASS)
>  		integrity_audit_msg(AUDIT_INTEGRITY_METADATA, d_backing_inode(dentry),
>  				    dentry->d_name.name, "appraise_metadata",


  reply	other threads:[~2020-09-17 12:38 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-04  9:23 [PATCH v2 00/12] IMA/EVM fixes Roberto Sassu
2020-09-04  9:23 ` [PATCH v2 01/12] ima: Don't ignore errors from crypto_shash_update() Roberto Sassu
2020-09-07 15:03   ` Sasha Levin
2020-09-04  9:23 ` [PATCH v2 02/12] ima: Remove semicolon at the end of ima_get_binary_runtime_size() Roberto Sassu
2020-09-04  9:23 ` [PATCH v2 03/12] evm: Check size of security.evm before using it Roberto Sassu
2020-09-04  9:23 ` [PATCH v2 04/12] evm: Execute evm_inode_init_security() only when the HMAC key is loaded Roberto Sassu
2020-09-07 15:03   ` Sasha Levin
2020-09-16 16:15   ` Mimi Zohar
2020-09-04  9:26 ` [PATCH v2 05/12] evm: Load EVM key in ima_load_x509() to avoid appraisal Roberto Sassu
2020-09-04  9:26 ` [PATCH v2 06/12] evm: Refuse EVM_ALLOW_METADATA_WRITES only if the HMAC key is loaded Roberto Sassu
2020-09-04  9:26 ` [PATCH v2 07/12] evm: Introduce EVM_RESET_STATUS atomic flag Roberto Sassu
2020-09-17 12:01   ` Mimi Zohar
2020-09-17 17:36     ` Roberto Sassu
2020-09-17 17:47       ` Mimi Zohar
2020-09-04  9:26 ` [PATCH v2 08/12] evm: Allow xattr/attr operations for portable signatures if check fails Roberto Sassu
2020-09-17 12:32   ` Mimi Zohar [this message]
2020-09-04  9:26 ` [PATCH v2 09/12] evm: Allow setxattr() and setattr() if metadata digest won't change Roberto Sassu
2020-09-17 13:15   ` Mimi Zohar
2020-09-04  9:26 ` [PATCH v2 10/12] ima: Allow imasig requirement to be satisfied by EVM portable signatures Roberto Sassu
2020-09-04  9:26 ` [PATCH v2 11/12] ima: Introduce template field evmsig and write to field sig as fallback Roberto Sassu
2020-09-17 14:25   ` Mimi Zohar
2020-09-17 15:05     ` Roberto Sassu
2020-09-17 15:55       ` Mimi Zohar
2020-09-04  9:26 ` [PATCH v2 12/12] ima: Don't remove security.ima if file must not be appraised Roberto Sassu
2020-09-16 16:14 ` [PATCH v2 00/12] IMA/EVM fixes Mimi Zohar
2020-09-17 14:33   ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=03e55547ff7c8725a73f60c460deb13a5b135531.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mjg59@google.com \
    --cc=roberto.sassu@huawei.com \
    --cc=silviu.vlasceanu@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.