linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Amir Goldstein <amir73il@gmail.com>,
	James Bottomley <James.Bottomley@hansenpartnership.com>
Cc: iforster@suse.de, Goldwyn Rodrigues <rgoldwyn@suse.com>,
	linux-integrity@vger.kernel.org,
	Miklos Szeredi <miklos@szeredi.hu>,
	overlayfs <linux-unionfs@vger.kernel.org>
Subject: Re: EVM: Permission denied with overlayfs
Date: Wed, 19 Dec 2018 16:02:21 -0500	[thread overview]
Message-ID: <1545253341.3954.83.camel@linux.ibm.com> (raw)
In-Reply-To: <CAOQ4uxhDh3okp1nYgZXxG+2siChfT8Oq3ncH1FFhQW_zBCstzw@mail.gmail.com>

On Wed, 2018-12-19 at 22:12 +0200, Amir Goldstein wrote:
> On Wed, Dec 19, 2018 at 9:34 PM James Bottomley
> <James.Bottomley@hansenpartnership.com> wrote:
> >
> > On Wed, 2018-12-19 at 13:15 -0500, Mimi Zohar wrote:
> > > On Wed, 2018-12-19 at 08:56 -0800, James Bottomley wrote:
> > > > On Wed, 2018-12-19 at 10:39 -0500, Mimi Zohar wrote:
> > > > > Confirmed, in linux-4.18.y d_backing_inode returns the real
> > > > > i_ino, but newer kernels do not.
> > > >
> > > > Just so we're clear, this isn't an issue with d_backing_inode(),
> > > > which hasn't changed since its introduction in 2015 and which
> > > > always returns dentry->d_inode (it was originally a helper for
> > > > unionfs which got merged even though unionfs didn't, which makes it
> > > > and the comment about upper/lower totally misleading).  The problem
> > > > is that overlayfs has changed the inode it places into d_inode.
> > > >
> > > > >   This is a problem for EVM as the i_ino is included in the HMAC
> > > > > calculation.
> > > >
> > > > Isn't the solution always to use portable signatures for
> > > > containers?
> > > > It's problematic to include inode and generation with an overlay
> > > > because if you change the metadata it gets copied up => new inode
> > > > number and generation on the upper filesystem but if we were always
> > > > using the underlying inode number and generation, the signature
> > > > would then be wrong on the copied up file.
> > > >
> > > > At base, most container images are sets of tar files, which are not
> > > > inode number preserving anyway, so even if we find a convoluted way
> > > > to fix the above, the EVM signature has to be portable because
> > > > otherwise its always wrong for container images.
> > >
> > > Ignaz's use case was mutable files, not immutable files with file
> > > signatures.
> >
> > The word "mutable" is problematic in terms of overlays.  Only the upper
> > layer is mutable, so if your EVM signed file is anywhere other than in
> > the top layer it's technically immutable.  What you get when you mutate
> > it is a copy up.  the VFS guarantee is that inode numbers are stable
> > only for the current mount and may change on a remount.  Most disk
> > backed filesystems have inode numbers encoded in their on disk inodes,
> > which is why they have far more stability than the simple VFS
> > requirement, but some filesystems can't have long term stable inode
> > numbers.  We recognise this problem in EVM with so called "portable
> > signatures" that don't include the inode number and generation.

For portable signatures, to bind the file metadata with the file data,
we've replaced the inode number and generation, with the
"security.ima" xattr.  Do we want this requirement/limitation for
overlays?

The existing EVM portable signature is an asymmetric algorithm based
signature.  Would we define a "portable" HMAC?

> > I'm interested in discussing two points
> >
> >    1. Can we actually come up with semantics where the EVM signature is
> >       always valid for overlays?
> 
> What you are looking for is a persistent and stable identifier for
> the inode object. Such a property already exists for filesystems that
> support NFS file handles.
> 
> As I wrote, you can *sometimes* rely on overlay i_ino to be consistent
> and stable (it will usually have the value of the pre copy up lower inode
> even after copy up), bug i_generation is nonsense.
> 
> You can *always* rely on overlay file handle to be a unique indetifier
> of the inode (even after mount cycle) as long as nfs_export=on and
> overlayfs supports NFS file handles (as well as the underlying layers).
> 
> 
> >    2. If the answer to 1. is "no" should we not always use portable
> >       signatures for overlay cases?
> 
> You can determine if overlayfs has exportfs ops and choose portable
> non-portable signatures per instance.
> 
> >
> > I think there are a load of nasty corner cases in 1. that make 2. far
> > more preferable, but perhaps we can begin with the use case that
> > requires non-portable signatures with overlays, because I don't think
> > I've heard it yet.
> >
> > >   Prior to 4.19, EVM was calculating and verifying the file
> > > HMAC properly.  With 4.19, it stopped working because the i_ino used
> > > in calculating the HMAC value stored in security.evm, is not the same
> > >  when verifying the HMAC value.
> >
> > Yes, but the same thing would happen on cifs or NFS or any other
> > filesystem that constructs inode numbers on the fly.  If we're not
> > proposing trying to fix them, why fix overlayfs?

Both EVM and IMA have been limited to local filesystems, originally
dependent on i_version.  Only recently has there been interest in
remote file systems.  There's a lot more than just adding a portable
EVM format to support remote filesystems.

Mimi
> 
> NFS file handles as inode identifier would work for those as well.
> 
> Thanks,
> Amir.
> 


  reply	other threads:[~2018-12-19 21:02 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-18 19:49 EVM: Permission denied with overlayfs Ignaz Forster
2018-12-18 23:00 ` Mimi Zohar
2018-12-19 15:39   ` Mimi Zohar
2018-12-19 16:38     ` Amir Goldstein
2018-12-19 18:34       ` Mimi Zohar
2018-12-19 20:39         ` Amir Goldstein
2018-12-20  3:42       ` Goldwyn Rodrigues
2018-12-20  7:15         ` Amir Goldstein
2018-12-19 16:56     ` James Bottomley
2018-12-19 18:15       ` Mimi Zohar
2018-12-19 19:34         ` James Bottomley
2018-12-19 20:12           ` Amir Goldstein
2018-12-19 21:02             ` Mimi Zohar [this message]
2018-12-19 22:08               ` James Bottomley
2018-12-20 14:55                 ` Mimi Zohar
2018-12-20 19:24                   ` James Bottomley
2018-12-19 22:11             ` James Bottomley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1545253341.3954.83.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=James.Bottomley@hansenpartnership.com \
    --cc=amir73il@gmail.com \
    --cc=iforster@suse.de \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-unionfs@vger.kernel.org \
    --cc=miklos@szeredi.hu \
    --cc=rgoldwyn@suse.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).