All of lore.kernel.org
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Roberto Sassu <roberto.sassu@huawei.com>,
	"david.safford@gmail.com" <david.safford@gmail.com>,
	"viro@zeniv.linux.org.uk" <viro@zeniv.linux.org.uk>,
	"jmorris@namei.org" <jmorris@namei.org>,
	John Johansen <john.johansen@canonical.com>
Cc: "linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
	"linux-integrity@vger.kernel.org"
	<linux-integrity@vger.kernel.org>,
	"linux-security-module@vger.kernel.org" 
	<linux-security-module@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Silviu Vlasceanu <Silviu.Vlasceanu@huawei.com>
Subject: Re: [RFC][PATCH 1/3] evm: Move hooks outside LSM infrastructure
Date: Fri, 08 May 2020 13:08:04 -0400	[thread overview]
Message-ID: <1588957684.5146.70.camel@linux.ibm.com> (raw)
In-Reply-To: <84e6acad739a415aa3e2457b5c37979f@huawei.com>

On Fri, 2020-05-08 at 10:20 +0000, Roberto Sassu wrote:
> > From: Mimi Zohar [mailto:zohar@linux.ibm.com]
> > On Thu, 2020-05-07 at 16:47 +0000, Roberto Sassu wrote:

<snip>

> > > > the file metadata to the file data.  The IMA and EVM policies really
> > > > need to be in sync.
> > >
> > > It would be nice, but at the moment EVM considers also files that are
> > > not selected by the IMA policy. An example of why this is a problem is
> > > the audit service that fails to start when it tries to adjust the permissions
> > > of the log files. Those files don't have security.evm because they are
> > > not appraised by IMA, but EVM denies the operation.
> > 
> > No, this is a timing issue as to whether or not the builtin policy or
> > a custom policy has been loaded.  A custom policy could exclude the
> > log files based on LSM labels, but they are included in the builtin
> > policy.
> 
> Yes, I was referring to a custom policy. In this case, EVM will not adapt
> to the custom policy but still verifies all files. If access control is done
> exclusively by IMA at the time evm_verifyxattr() is called, we wouldn't
> need to add security.evm to all files.

Roberto, EVM is only triggered by IMA, unless you've modified the
kernel to do otherwise.

I'm not interested in a complicated solution, just one that addresses
the new EVM immutable and portable signature.  It might require EVM
HMAC, IMA differentiating between a new file and an existing file, or
it might require writing the new EVM signature last, after all the
other xattrs or metadata are updated.  Please nothing that changes
existing expectations.

Mimi

  reply	other threads:[~2020-05-08 17:08 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-29  7:39 [RFC][PATCH 1/3] evm: Move hooks outside LSM infrastructure Roberto Sassu
2020-04-29  7:39 ` [RFC][PATCH 2/3] evm: Extend API of post hooks to pass the result of pre hooks Roberto Sassu
2020-04-29  7:39 ` [RFC][PATCH 3/3] evm: Return -EAGAIN to ignore verification failures Roberto Sassu
2020-04-30 16:11 ` [RFC][PATCH 1/3] evm: Move hooks outside LSM infrastructure Lev R. Oshvang .
2020-05-01  6:56   ` Roberto Sassu
2020-05-06 16:11 ` Roberto Sassu
2020-05-06 19:44 ` Mimi Zohar
2020-05-06 21:10   ` Mimi Zohar
2020-05-07  7:53     ` Roberto Sassu
2020-05-07 15:17       ` Mimi Zohar
2020-05-07 16:47         ` Roberto Sassu
2020-05-07 20:45           ` Mimi Zohar
2020-05-08 10:20             ` Roberto Sassu
2020-05-08 17:08               ` Mimi Zohar [this message]
2020-05-11 14:13                 ` Roberto Sassu
2020-05-11 21:36                   ` Mimi Zohar
2020-05-12  7:54                     ` Roberto Sassu
2020-05-12 14:17                       ` Mimi Zohar
2020-05-12 15:31                         ` Roberto Sassu
2020-05-12 15:50                           ` Mimi Zohar
2020-05-12 16:31                             ` Roberto Sassu
2020-05-12 19:38                               ` Mimi Zohar
2020-05-13  7:21                                 ` Roberto Sassu
2020-05-13 15:09                                   ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1588957684.5146.70.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=Silviu.Vlasceanu@huawei.com \
    --cc=david.safford@gmail.com \
    --cc=jmorris@namei.org \
    --cc=john.johansen@canonical.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=roberto.sassu@huawei.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.