From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS,URIBL_BLOCKED,USER_AGENT_NEOMUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CDEAFC43387 for ; Thu, 20 Dec 2018 03:42:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9BDBE20866 for ; Thu, 20 Dec 2018 03:42:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728803AbeLTDmG (ORCPT ); Wed, 19 Dec 2018 22:42:06 -0500 Received: from mx2.suse.de ([195.135.220.15]:44576 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728061AbeLTDmG (ORCPT ); Wed, 19 Dec 2018 22:42:06 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id E9C3DAAAE; Thu, 20 Dec 2018 03:42:03 +0000 (UTC) Date: Wed, 19 Dec 2018 21:42:00 -0600 From: Goldwyn Rodrigues To: Amir Goldstein Cc: zohar@linux.ibm.com, iforster@suse.de, linux-integrity@vger.kernel.org, Miklos Szeredi , overlayfs Subject: Re: EVM: Permission denied with overlayfs Message-ID: <20181220034200.wfft5d543tje5zpy@merlin> References: <12c81a49-efca-d66c-2143-ae04ca248cce@suse.de> <1545174031.4178.8.camel@linux.ibm.com> <1545233975.3954.8.camel@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20180323 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org On 18:38 19/12, Amir Goldstein wrote: > On Wed, Dec 19, 2018 at 5:39 PM Mimi Zohar wrote: > > > > On Tue, 2018-12-18 at 18:00 -0500, Mimi Zohar wrote: > > > Hi Ignaz, > > > > > > On Tue, 2018-12-18 at 20:49 +0100, Ignaz Forster wrote: > > > > Hi, > > > > > > > > as a follow up to my attempts to use overlayfs on an IMA protected > > > > system[1] I've now tried to also enable EVM. From what I understand this > > > > should - at least in theory - be possible: EVM will call > > > > d_backing_inode(dentry), which I thought would get the inode of the > > > > underlying file system[2], and use that for HMAC verification. > > > > > > > > In practice simply trying to access an existing file will fail with > > > > "Permission denied" already. In the corresponding audit log I can see > > > > the file access (failed with "invalid-HMAC"), but with an inode number > > > > unknown to me - stat returns a completely different number for the file > > > > in the lower and target dir. > > > > > > > > For testing purposes I added a new hashing algorithm to > > > > evm_ima_xattr_type which will not add the file system specific > > > > attributes (inode number, generation, file system uuid) to the hash - > > > > just like EVM_XATTR_PORTABLE_DIGSIG, but with the hashes generated by > > > > the kernel. Files created with this signature can be read correctly, > > > > though writing the files will still fail. > > > > > > > > Unfortunately I'm out of ideas what is happening here. If anybody wants > > > > to have a look at this: Any help would be appreciated. > > > > > > > > Kind Regards, > > > > Ignaz > > > > > > > > [1] https://www.spinics.net/lists/linux-integrity/msg03593.html > > > > [2] https://www.kernel.org/doc/htmldocs/filesystems/API-d-backing-inode.html > > > > > > > > > > After creating a file on the overlay, I wasn't able to access it from > > > the overlay, but was able to access it from "upper". Both "stat" and > > > "getfattr -m ^security" returned exactly the same things for both > > > pathnames. However, the ino in the audit log was different. > > > > > > After modifying evm_calc_hmac_or_hash(), replacing d_backing_inode() > > > with d_real_inode(), the hmac properly calculated for both the overlay > > > and the upper pathnames. > > > > > > Something must have changed in d_backing_inode(). > > > > Confirmed, in linux-4.18.y d_backing_inode returns the real i_ino, but > > newer kernels do not. This is a problem for EVM as the i_ino is > > included in the HMAC calculation. > > > > Hi Mimi, > > v4.19 has a big change that removes many VFS hacks in favor of > overlayfs stacked file operations. > > The major implication for VFS code is that file_inode(file) is now the overlayfs > inode and not the real inode. Therefore, file_dentry(file) is also the overlayfs > dentry and not the real dentry. > > I am not sure how that change impacts EVM ? > FWIW, d_backing_inode(dentry) was never anything more than d_inode(dentry). > > Can you please try to describe in more details for someone who has no clue what > EVM does how exactly the v4.19 change is manifested in the EVM use case. > > AFAIKT, evm_calc_hmac_or_hash() would get the overlayfs dentry both in > v4.18 and v4.19 and therefore d_backing_inode(dentry) should be the > overlayfs inode in both kernels (?). > > The value of overlayfs inode i_ino can be identical to i_ino of the real inode > under some conditions, but far from always and the value of overlayfs inode > i_generation is almost guaranteed to not match that of the real inode. If I understand it correctly, overlay performs copy_up using a temporary inode, and finally copies the attributes to a "real" upper inode after the copy_up is successful. However, integrity or ima gets control for calculation and verification of the inode during the temporary phase which is not the same as the final "upper" inode. -- Goldwyn