All of lore.kernel.org
 help / color / mirror / Atom feed
From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Mimi Zohar <zohar@linux.ibm.com>, Amir Goldstein <amir73il@gmail.com>
Cc: iforster@suse.de, Goldwyn Rodrigues <rgoldwyn@suse.com>,
	linux-integrity@vger.kernel.org,
	Miklos Szeredi <miklos@szeredi.hu>,
	overlayfs <linux-unionfs@vger.kernel.org>
Subject: Re: EVM: Permission denied with overlayfs
Date: Thu, 20 Dec 2018 11:24:53 -0800	[thread overview]
Message-ID: <1545333893.18986.3.camel@HansenPartnership.com> (raw)
In-Reply-To: <1545317716.4077.33.camel@linux.ibm.com>

On Thu, 2018-12-20 at 09:55 -0500, Mimi Zohar wrote:
> On Wed, 2018-12-19 at 14:08 -0800, James Bottomley wrote:
> 
> > > For portable signatures, to bind the file metadata with the file 
> > > data, we've replaced the inode number and generation, with the
> > > "security.ima" xattr.  Do we want this requirement/limitation for
> > > overlays?
> > 
> > Well, that's my question, yes.  I think there's a reasonable case
> > for it, but I was wondering what value the inode number and
> > generation brings.  Is there some reason to bind the EVM signature
> > to a more mutable file container (which is what inum/generation
> > provide) rather than a hard hash of file content (which is what the
> > ima xattr provides)?
> 
> As only files in the IMA policy are labeled with security.ima, to
> protect other files and directories, requires including the inode
> number, generation and the UUID.

OK, so you want to protect the container (essentially file name and
place in the tree) not the contents?  In which case, as Amir said, you
need to be using the filehandle got from something like
exportfs_encode_inode_fh().  That's guaranteed to be an immutable and
stable representative of the container not the contents.

> > > The existing EVM portable signature is an asymmetric algorithm
> > > based signature.  Would we define a "portable" HMAC?
> > 
> > Well, a signature is just an encryption of a hash.  Whether you do
> > HMAC with symmetric key or RSA/EC with an asymmetric one is more an
> > operational question.  HMAC is certainly much faster but EVM only
> > has a single hmac key which is problematic for the
> > containers.  Without a use case I can't really say.  Instinct tells
> > me asymmetric is more suitable to the container use case, but
> > that's really just a guess.
> 
> One of the differences between the EVM portable signature type and
> the original signature type is that the portable signatures aren't
> replaced with an HMAC.  They're considered portable & immutable.
> 
> Adding kernel support for signing mutable files using an asymmetric
> key is going to blur the lines between mutable/immutable files.

So don't do that ... have an additional type that simply doesn't
include the inode/generation (or move to a v2 that uses the filehandle
instead).

James

  reply	other threads:[~2018-12-20 19:24 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-18 19:49 EVM: Permission denied with overlayfs Ignaz Forster
2018-12-18 23:00 ` Mimi Zohar
2018-12-19 15:39   ` Mimi Zohar
2018-12-19 16:38     ` Amir Goldstein
2018-12-19 18:34       ` Mimi Zohar
2018-12-19 20:39         ` Amir Goldstein
2018-12-20  3:42       ` Goldwyn Rodrigues
2018-12-20  7:15         ` Amir Goldstein
2018-12-19 16:56     ` James Bottomley
2018-12-19 18:15       ` Mimi Zohar
2018-12-19 19:34         ` James Bottomley
2018-12-19 20:12           ` Amir Goldstein
2018-12-19 21:02             ` Mimi Zohar
2018-12-19 22:08               ` James Bottomley
2018-12-20 14:55                 ` Mimi Zohar
2018-12-20 19:24                   ` James Bottomley [this message]
2018-12-19 22:11             ` James Bottomley
     [not found]     ` <1545234449.3954.14.camel@linux.ibm.com>
     [not found]       ` <CAOQ4uxgG9yu-dOgOZyFnck+=ZjsoDe0SCJ6S-4+s0kB6mH2Maw@mail.gmail.com>
     [not found]         ` <1545245504.3954.51.camel@linux.ibm.com>
2018-12-19 20:47           ` [Fwd: Re: EVM: Permission denied with overlayfs] Amir Goldstein
2018-12-20 10:53             ` Mimi Zohar
2018-12-20 12:04               ` Amir Goldstein
2018-12-20 14:20                 ` Mimi Zohar
2018-12-20 15:56                   ` Amir Goldstein
2018-12-20 16:39                     ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1545333893.18986.3.camel@HansenPartnership.com \
    --to=james.bottomley@hansenpartnership.com \
    --cc=amir73il@gmail.com \
    --cc=iforster@suse.de \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-unionfs@vger.kernel.org \
    --cc=miklos@szeredi.hu \
    --cc=rgoldwyn@suse.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.