From: Casey Schaufler <casey@schaufler-ca.com>
To: Roberto Sassu <roberto.sassu@huawei.com>,
zohar@linux.ibm.com, mjg59@google.com
Cc: linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH v4 04/11] ima: Move ima_reset_appraise_flags() call to post hooks
Date: Fri, 5 Mar 2021 09:30:51 -0800 [thread overview]
Message-ID: <c3bb1069-c732-d3cf-0dde-7a83b3f31871@schaufler-ca.com> (raw)
In-Reply-To: <20210305151923.29039-5-roberto.sassu@huawei.com>
On 3/5/2021 7:19 AM, Roberto Sassu wrote:
> ima_inode_setxattr() and ima_inode_removexattr() hooks are called before an
> operation is performed. Thus, ima_reset_appraise_flags() should not be
> called there, as flags might be unnecessarily reset if the operation is
> denied.
>
> This patch introduces the post hooks ima_inode_post_setxattr() and
> ima_inode_post_removexattr(), and adds the call to
> ima_reset_appraise_flags() in the new functions.
I don't see anything wrong with this patch in light of the way
IMA and EVM have been treated to date.
However ...
The special casing of IMA and EVM in security.c is getting out of
hand, and appears to be unnecessary. By my count there are 9 IMA
hooks and 5 EVM hooks that have been hard coded. Adding this IMA
hook makes 10. It would be really easy to register IMA and EVM as
security modules. That would remove the dependency they currently
have on security sub-system approval for changes like this one.
I know there has been resistance to "IMA as an LSM" in the past,
but it's pretty hard to see how it wouldn't be a win.
Short of that ...
Many of the places where IMA is invoked immediately invoke EVM
as well. Instead of:
ima_do_stuff(x, y, z);
evm_do_stuff(x, y, z);
how about
integrity_do_stuff(x, y, z);
>
> Cc: Casey Schaufler <casey@schaufler-ca.com>
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> ---
> fs/xattr.c | 2 ++
> include/linux/ima.h | 18 ++++++++++++++++++
> security/integrity/ima/ima_appraise.c | 25 ++++++++++++++++++++++---
> security/security.c | 1 +
> 4 files changed, 43 insertions(+), 3 deletions(-)
>
> diff --git a/fs/xattr.c b/fs/xattr.c
> index b3444e06cded..81847f132d26 100644
> --- a/fs/xattr.c
> +++ b/fs/xattr.c
> @@ -16,6 +16,7 @@
> #include <linux/namei.h>
> #include <linux/security.h>
> #include <linux/evm.h>
> +#include <linux/ima.h>
> #include <linux/syscalls.h>
> #include <linux/export.h>
> #include <linux/fsnotify.h>
> @@ -502,6 +503,7 @@ __vfs_removexattr_locked(struct user_namespace *mnt_userns,
>
> if (!error) {
> fsnotify_xattr(dentry);
> + ima_inode_post_removexattr(dentry, name);
> evm_inode_post_removexattr(dentry, name);
> }
>
> diff --git a/include/linux/ima.h b/include/linux/ima.h
> index 61d5723ec303..5e059da43857 100644
> --- a/include/linux/ima.h
> +++ b/include/linux/ima.h
> @@ -171,7 +171,13 @@ extern void ima_inode_post_setattr(struct user_namespace *mnt_userns,
> struct dentry *dentry);
> extern int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
> const void *xattr_value, size_t xattr_value_len);
> +extern void ima_inode_post_setxattr(struct dentry *dentry,
> + const char *xattr_name,
> + const void *xattr_value,
> + size_t xattr_value_len);
> extern int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name);
> +extern void ima_inode_post_removexattr(struct dentry *dentry,
> + const char *xattr_name);
> #else
> static inline bool is_ima_appraise_enabled(void)
> {
> @@ -192,11 +198,23 @@ static inline int ima_inode_setxattr(struct dentry *dentry,
> return 0;
> }
>
> +static inline void ima_inode_post_setxattr(struct dentry *dentry,
> + const char *xattr_name,
> + const void *xattr_value,
> + size_t xattr_value_len)
> +{
> +}
> +
> static inline int ima_inode_removexattr(struct dentry *dentry,
> const char *xattr_name)
> {
> return 0;
> }
> +
> +static inline void ima_inode_post_removexattr(struct dentry *dentry,
> + const char *xattr_name)
> +{
> +}
> #endif /* CONFIG_IMA_APPRAISE */
>
> #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 565e33ff19d0..1f029e4c8d7f 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -577,21 +577,40 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
> if (result == 1) {
> if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
> return -EINVAL;
> - ima_reset_appraise_flags(d_backing_inode(dentry),
> - xvalue->type == EVM_IMA_XATTR_DIGSIG);
> result = 0;
> }
> return result;
> }
>
> +void ima_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
> + const void *xattr_value, size_t xattr_value_len)
> +{
> + const struct evm_ima_xattr_data *xvalue = xattr_value;
> + int result;
> +
> + result = ima_protect_xattr(dentry, xattr_name, xattr_value,
> + xattr_value_len);
> + if (result == 1)
> + ima_reset_appraise_flags(d_backing_inode(dentry),
> + xvalue->type == EVM_IMA_XATTR_DIGSIG);
> +}
> +
> int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
> {
> int result;
>
> result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
> if (result == 1) {
> - ima_reset_appraise_flags(d_backing_inode(dentry), 0);
> result = 0;
> }
> return result;
> }
> +
> +void ima_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
> +{
> + int result;
> +
> + result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
> + if (result == 1)
> + ima_reset_appraise_flags(d_backing_inode(dentry), 0);
> +}
> diff --git a/security/security.c b/security/security.c
> index 5ac96b16f8fa..efb1f874dc41 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -1319,6 +1319,7 @@ void security_inode_post_setxattr(struct dentry *dentry, const char *name,
> if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
> return;
> call_void_hook(inode_post_setxattr, dentry, name, value, size, flags);
> + ima_inode_post_setxattr(dentry, name, value, size);
> evm_inode_post_setxattr(dentry, name, value, size);
> }
>
next prev parent reply other threads:[~2021-03-05 17:32 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-05 15:19 [PATCH v4 00/11] evm: Improve usability of portable signatures Roberto Sassu
2021-03-05 15:19 ` [PATCH v4 01/11] evm: Execute evm_inode_init_security() only when an HMAC key is loaded Roberto Sassu
2021-03-05 15:19 ` [PATCH v4 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal Roberto Sassu
2021-03-05 15:19 ` [PATCH v4 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded Roberto Sassu
2021-03-05 15:19 ` [PATCH v4 04/11] ima: Move ima_reset_appraise_flags() call to post hooks Roberto Sassu
2021-03-05 17:30 ` Casey Schaufler [this message]
2021-04-26 19:49 ` Mimi Zohar
2021-04-27 9:25 ` Roberto Sassu
2021-04-27 15:34 ` Mimi Zohar
2021-04-27 15:57 ` Roberto Sassu
2021-04-27 16:03 ` Mimi Zohar
2021-04-27 16:39 ` Casey Schaufler
2021-04-27 16:48 ` Mimi Zohar
2021-04-28 7:48 ` Roberto Sassu
2021-04-28 15:35 ` Roberto Sassu
2021-04-30 18:00 ` Mimi Zohar
2021-05-03 7:41 ` Roberto Sassu
2021-05-03 13:21 ` Mimi Zohar
2021-03-05 15:19 ` [PATCH v4 05/11] evm: Introduce evm_status_revalidate() Roberto Sassu
2021-03-05 15:19 ` [PATCH v4 06/11] evm: Ignore INTEGRITY_NOLABEL/INTEGRITY_NOXATTRS if conditions are safe Roberto Sassu
2021-03-05 15:19 ` [PATCH v4 07/11] evm: Allow xattr/attr operations for portable signatures Roberto Sassu
2021-03-05 15:19 ` [PATCH v4 08/11] evm: Allow setxattr() and setattr() for unmodified metadata Roberto Sassu
2021-03-25 10:53 ` Roberto Sassu
2021-03-25 12:13 ` Christian Brauner
2021-03-25 12:21 ` Christian Brauner
2021-03-25 12:40 ` Roberto Sassu
2021-03-25 12:39 ` Roberto Sassu
2021-03-05 15:19 ` [PATCH v4 09/11] ima: Allow imasig requirement to be satisfied by EVM portable signatures Roberto Sassu
2021-03-05 15:19 ` [PATCH v4 10/11] ima: Introduce template field evmsig and write to field sig as fallback Roberto Sassu
2021-03-05 15:19 ` [PATCH v4 11/11] ima: Don't remove security.ima if file must not be appraised Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c3bb1069-c732-d3cf-0dde-7a83b3f31871@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@google.com \
--cc=roberto.sassu@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.