All of lore.kernel.org
 help / color / mirror / Atom feed
From: Roberto Sassu <roberto.sassu@huawei.com>
To: Linus Torvalds <torvalds@linux-foundation.org>,
	Mimi Zohar <zohar@linux.ibm.com>
Cc: Christoph Hellwig <hch@infradead.org>,
	"linux-integrity@vger.kernel.org"
	<linux-integrity@vger.kernel.org>,
	"linux-security-module@vger.kernel.org" 
	<linux-security-module@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Silviu Vlasceanu <Silviu.Vlasceanu@huawei.com>,
	"stable@vger.kernel.org" <stable@vger.kernel.org>,
	"viro@zeniv.linux.org.uk" <viro@zeniv.linux.org.uk>,
	"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
	Paul Moore <paul@paul-moore.com>,
	"Casey Schaufler" <casey@schaufler-ca.com>,
	Stephen Smalley <stephen.smalley.work@gmail.com>,
	John Johansen <john.johansen@canonical.com>,
	Kees Cook <keescook@chromium.org>,
	"James Morris" <jmorris@namei.org>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	"Micah Morton" <mortonm@chromium.org>
Subject: RE: [RESEND][PATCH] ima: Set and clear FMODE_CAN_READ in ima_calc_file_hash()
Date: Fri, 20 Nov 2020 12:52:00 +0000	[thread overview]
Message-ID: <6dafff7889d34bc799b4c5bfd0bfebc8@huawei.com> (raw)
In-Reply-To: <CAHk-=wjinHpYRk_F1qiaXbXcMtn-ZHKkPkBvZpDJHjoN_2o4ag@mail.gmail.com>

> From: Linus Torvalds [mailto:torvalds@linux-foundation.org]
> Sent: Wednesday, November 18, 2020 12:37 AM
> On Tue, Nov 17, 2020 at 3:29 PM Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
> >
> > On Tue, Nov 17, 2020 at 3:24 PM Mimi Zohar <zohar@linux.ibm.com>
> wrote:
> > >
> > > I really wish it wasn't needed.
> >
> > Seriously, I get the feeling that IMA is completely mis-designed, and
> > is doing actively bad things.
> >
> > Who uses this "feature", and who cares? Because I would suggest you
> > just change the policy and be done with it.
> 
> Another alternative is to change the policy and say "any write-only
> open gets turned into a read-write open".

One issue that would arise from doing it is that security policies need
to be modified to grant the additional read permission. If the open
flag is added early, the LSM hook security_file_open() will see it.

This solution seems not optimal, as we are giving to processes a
permission that they wouldn't really take advantage of, since the
content read remains in kernel space. And an additional permission
is a permission that can be exploited.

As Mimi said, we already have a second open with dentry_open() when
the original file descriptor is not suitable. The only problem, which is
why changing the mode is still there, is that a process still might not
have the privilege to read, and this is a legitimate case.

We could assign a more powerful credential to the process, since
dentry_open() accepts a credential as an argument. We could obtain
such powerful credential from prepare_kernel_cred(). This option
has better chances to work without modifying existing security policies
as likely those policies already assigned the required privilege to the
kernel. However, doing so might not be what LSM people recommend.

Any suggestion?

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Li Jian, Shi Yanli

  parent reply	other threads:[~2020-11-20 12:52 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-13  8:01 [RESEND][PATCH] ima: Set and clear FMODE_CAN_READ in ima_calc_file_hash() Roberto Sassu
2020-11-13 15:53 ` Mimi Zohar
2020-11-14 11:10 ` Christoph Hellwig
2020-11-16  8:52   ` Roberto Sassu
2020-11-16 16:22     ` Christoph Hellwig
2020-11-16 16:46       ` Mimi Zohar
2020-11-16 17:37         ` Linus Torvalds
2020-11-16 17:41           ` Christoph Hellwig
2020-11-16 18:09             ` Linus Torvalds
2020-11-16 18:35               ` Mimi Zohar
2020-11-17 18:23                 ` Linus Torvalds
2020-11-17 18:54                   ` Theodore Y. Ts'o
2020-11-17 23:23                   ` Mimi Zohar
2020-11-17 23:29                     ` Linus Torvalds
2020-11-17 23:36                       ` Linus Torvalds
2020-11-18 18:28                         ` Mimi Zohar
2020-11-20 12:52                         ` Roberto Sassu [this message]
2020-11-16 18:21             ` Mimi Zohar
2020-11-16 18:08           ` Al Viro
2020-11-16 18:49             ` Mimi Zohar
2020-11-17 12:29             ` Roberto Sassu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6dafff7889d34bc799b4c5bfd0bfebc8@huawei.com \
    --to=roberto.sassu@huawei.com \
    --cc=Silviu.Vlasceanu@huawei.com \
    --cc=casey@schaufler-ca.com \
    --cc=hch@infradead.org \
    --cc=jmorris@namei.org \
    --cc=john.johansen@canonical.com \
    --cc=keescook@chromium.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mortonm@chromium.org \
    --cc=paul@paul-moore.com \
    --cc=serge@hallyn.com \
    --cc=stable@vger.kernel.org \
    --cc=stephen.smalley.work@gmail.com \
    --cc=torvalds@linux-foundation.org \
    --cc=viro@zeniv.linux.org.uk \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.