From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Subject: Re: [PATCH] Open a new file instance if no read permissions on files From: Mimi Zohar Date: Mon, 08 Oct 2018 17:18:32 -0400 In-Reply-To: <20181008153014.vb4hd7xdpbsbbrxg@merlin> References: <20181005214213.ickkfgu5a7tzzenk@merlin> <1538874061.4914.16.camel@linux.ibm.com> <20181008121455.za53z7kgfizgtiv7@merlin> <1539005279.15382.119.camel@linux.ibm.com> <20181008153014.vb4hd7xdpbsbbrxg@merlin> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <1539033512.15382.133.camel@linux.ibm.com> To: Goldwyn Rodrigues Cc: linux-integrity@vger.kernel.org, linux-unionfs@vger.kernel.org, iforster@suse.de, fvogt@suse.de, miklos@szeredi.hu List-ID: On Mon, 2018-10-08 at 10:30 -0500, Goldwyn Rodrigues wrote: > On 9:27 08/10, Mimi Zohar wrote: > > On Mon, 2018-10-08 at 07:14 -0500, Goldwyn Rodrigues wrote: > > > > > > > > > > > > > > > + if (!(file->f_mode & FMODE_READ)) { > > > > > + struct file *f; > > > > > > > > I would define "struct file *f = file" above, at the beginning of > > > > function, and "free(f)" below, without modifying "file". > > > > > > I suppose you mean fput(f). > > > > yes > > > > > Okay, if it makes code more understandable. > > > > Thanks > > > > > > > > > > > > + int flags = file->f_flags & ~(O_WRONLY | O_APPEND | O_TRUNC | O_CREAT | O_NOCTTY | O_EXCL); > > > > > > > > Doesn't O_RDONLY need to be added? > > > > > > No. O_RDONLY is zero. But I think I should add it for readability. The > > > compiler will optimize it eventually. > > > > > > > Please fix the line length. > > > > > > > > > > > > > + f = dentry_open(&file->f_path, flags, file->f_cred); > > > > > + if (IS_ERR(f)) > > > > > + return PTR_ERR(f); > > > > It's late in the release cycle to be making this change.  Would it > > make sense for now to fallback to modifying the original file > > descriptor on failure and emit a message? > > Yes, perhaps and it may still succeed. Won't it be misleading if it does? > Would ima_update_xattr() be a good place? Not sure if it would spew too > many messages if there is an issue. I am all in for modifying the > original file->f_flags on failure. Just not sure about the error > message. The message should be an indication that the dentry_open() failed.  So it needs to be in ima_calc_file_hash.  Perhaps use either pr_info_ratelimited or even pr_info_once() to limit the number of messages. > Currently, when we perform IMA hash calculation on a O_WRONLY file with > overlayfs, there is no error in dmesg. Just EACCES on the _next_ write > which makes it difficult to conclude whats wrong. There should be an AUDIT_INTEGRITY_DATA message emitted by ima_collect_measurement(). Mimi From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:43798 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726160AbeJIEcV (ORCPT ); Tue, 9 Oct 2018 00:32:21 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w98LEuwT017747 for ; Mon, 8 Oct 2018 17:18:38 -0400 Received: from e06smtp04.uk.ibm.com (e06smtp04.uk.ibm.com [195.75.94.100]) by mx0b-001b2d01.pphosted.com with ESMTP id 2n0a453n2n-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 08 Oct 2018 17:18:37 -0400 Received: from localhost by e06smtp04.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 8 Oct 2018 22:18:36 +0100 Subject: Re: [PATCH] Open a new file instance if no read permissions on files From: Mimi Zohar To: Goldwyn Rodrigues Cc: linux-integrity@vger.kernel.org, linux-unionfs@vger.kernel.org, iforster@suse.de, fvogt@suse.de, miklos@szeredi.hu Date: Mon, 08 Oct 2018 17:18:32 -0400 In-Reply-To: <20181008153014.vb4hd7xdpbsbbrxg@merlin> References: <20181005214213.ickkfgu5a7tzzenk@merlin> <1538874061.4914.16.camel@linux.ibm.com> <20181008121455.za53z7kgfizgtiv7@merlin> <1539005279.15382.119.camel@linux.ibm.com> <20181008153014.vb4hd7xdpbsbbrxg@merlin> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Message-Id: <1539033512.15382.133.camel@linux.ibm.com> Sender: linux-integrity-owner@vger.kernel.org List-ID: On Mon, 2018-10-08 at 10:30 -0500, Goldwyn Rodrigues wrote: > On 9:27 08/10, Mimi Zohar wrote: > > On Mon, 2018-10-08 at 07:14 -0500, Goldwyn Rodrigues wrote: > > > > > > > > > > > > > > > + if (!(file->f_mode & FMODE_READ)) { > > > > > + struct file *f; > > > > > > > > I would define "struct file *f = file" above, at the beginning of > > > > function, and "free(f)" below, without modifying "file". > > > > > > I suppose you mean fput(f). > > > > yes > > > > > Okay, if it makes code more understandable. > > > > Thanks > > > > > > > > > > > > + int flags = file->f_flags & ~(O_WRONLY | O_APPEND | O_TRUNC | O_CREAT | O_NOCTTY | O_EXCL); > > > > > > > > Doesn't O_RDONLY need to be added? > > > > > > No. O_RDONLY is zero. But I think I should add it for readability. The > > > compiler will optimize it eventually. > > > > > > > Please fix the line length. > > > > > > > > > > > > > + f = dentry_open(&file->f_path, flags, file->f_cred); > > > > > + if (IS_ERR(f)) > > > > > + return PTR_ERR(f); > > > > It's late in the release cycle to be making this change. Would it > > make sense for now to fallback to modifying the original file > > descriptor on failure and emit a message? > > Yes, perhaps and it may still succeed. Won't it be misleading if it does? > Would ima_update_xattr() be a good place? Not sure if it would spew too > many messages if there is an issue. I am all in for modifying the > original file->f_flags on failure. Just not sure about the error > message. The message should be an indication that the dentry_open() failed. So it needs to be in ima_calc_file_hash. Perhaps use either pr_info_ratelimited or even pr_info_once() to limit the number of messages. > Currently, when we perform IMA hash calculation on a O_WRONLY file with > overlayfs, there is no error in dmesg. Just EACCES on the _next_ write > which makes it difficult to conclude whats wrong. There should be an AUDIT_INTEGRITY_DATA message emitted by ima_collect_measurement(). Mimi