All of lore.kernel.org
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Christoph Hellwig <hch@infradead.org>,
	Linus Torvalds <torvalds@linux-foundation.org>
Cc: Roberto Sassu <roberto.sassu@huawei.com>,
	"linux-integrity@vger.kernel.org"
	<linux-integrity@vger.kernel.org>,
	"linux-security-module@vger.kernel.org" 
	<linux-security-module@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Silviu Vlasceanu <Silviu.Vlasceanu@huawei.com>,
	"stable@vger.kernel.org" <stable@vger.kernel.org>,
	"viro@zeniv.linux.org.uk" <viro@zeniv.linux.org.uk>,
	"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>
Subject: Re: [RESEND][PATCH] ima: Set and clear FMODE_CAN_READ in ima_calc_file_hash()
Date: Mon, 16 Nov 2020 13:21:10 -0500	[thread overview]
Message-ID: <51b4f4f119a80827fcc539de68ec9fa3df16d94d.camel@linux.ibm.com> (raw)
In-Reply-To: <20201116174127.GA4578@infradead.org>

On Mon, 2020-11-16 at 17:41 +0000, Christoph Hellwig wrote:
> On Mon, Nov 16, 2020 at 09:37:32AM -0800, Linus Torvalds wrote:
> > > This discussion seems to be going down the path of requiring an IMA
> > > filesystem hook for reading the file, again.  That solution was
> > > rejected, not by me.  What is new this time?
> > 
> > You can't read a non-read-opened file. Not even IMA can.
> > 
> > So don't do that then.
> > 
> > IMA is doing something wrong. Why would you ever read a file that can't be read?
> > 
> > Fix whatever "open" function instead of trying to work around the fact
> > that you opened it wrong.
> 
> The "issue" with IMA is that it uses security hooks to hook into the
> VFS and then wants to read every file that gets opened on a real file
> system to "measure" the contents vs a hash stashed away somewhere.
> Which has always been rather sketchy.

There are security hooks, where IMA is co-located, but there are also
IMA hooks where there isn't an IMA hook (e.g. ima_file_check).  In all
cases, the file needs to be read in order to calculate the file hash,
which is then used for verifying file signatures (equivalent of secure
boot) and extending the TPM (equivalent of trusted boot).  Only after
measuring and verifying the file integrity, should access be granted to
the file.

Whether filesystems can and should be trusted to provide the real file
hashes is a separate issue.

The decision as to which files should be measured or the signature
verified is based on policy.

thanks,

Mimi


  parent reply	other threads:[~2020-11-16 18:21 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-13  8:01 [RESEND][PATCH] ima: Set and clear FMODE_CAN_READ in ima_calc_file_hash() Roberto Sassu
2020-11-13 15:53 ` Mimi Zohar
2020-11-14 11:10 ` Christoph Hellwig
2020-11-16  8:52   ` Roberto Sassu
2020-11-16 16:22     ` Christoph Hellwig
2020-11-16 16:46       ` Mimi Zohar
2020-11-16 17:37         ` Linus Torvalds
2020-11-16 17:41           ` Christoph Hellwig
2020-11-16 18:09             ` Linus Torvalds
2020-11-16 18:35               ` Mimi Zohar
2020-11-17 18:23                 ` Linus Torvalds
2020-11-17 18:54                   ` Theodore Y. Ts'o
2020-11-17 23:23                   ` Mimi Zohar
2020-11-17 23:29                     ` Linus Torvalds
2020-11-17 23:36                       ` Linus Torvalds
2020-11-18 18:28                         ` Mimi Zohar
2020-11-20 12:52                         ` Roberto Sassu
2020-11-16 18:21             ` Mimi Zohar [this message]
2020-11-16 18:08           ` Al Viro
2020-11-16 18:49             ` Mimi Zohar
2020-11-17 12:29             ` Roberto Sassu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=51b4f4f119a80827fcc539de68ec9fa3df16d94d.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=Silviu.Vlasceanu@huawei.com \
    --cc=hch@infradead.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=roberto.sassu@huawei.com \
    --cc=stable@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.