Re: [PATCH v5 12/30] integrity: implement get and set acl hook

From: Paul Moore <paul@paul-moore.com>
To: Christian Brauner <brauner@kernel.org>
Cc: linux-fsdevel@vger.kernel.org, Seth Forshee <sforshee@kernel.org>,
	Christoph Hellwig <hch@lst.de>, Al Viro <viro@zeniv.linux.org.uk>,
	Mimi Zohar <zohar@linux.ibm.com>,
	linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: Re: [PATCH v5 12/30] integrity: implement get and set acl hook
Date: Tue, 18 Oct 2022 15:17:55 -0400	[thread overview]
Message-ID: <CAHC9VhSWymFrrV2Zu3isAivuZMvgBxagkoDg3vLGDOww=Y8t_Q@mail.gmail.com> (raw)
In-Reply-To: <20221018115700.166010-13-brauner@kernel.org>

On Tue, Oct 18, 2022 at 7:59 AM Christian Brauner <brauner@kernel.org> wrote:
>
> The current way of setting and getting posix acls through the generic
> xattr interface is error prone and type unsafe. The vfs needs to
> interpret and fixup posix acls before storing or reporting it to
> userspace. Various hacks exist to make this work. The code is hard to
> understand and difficult to maintain in it's current form. Instead of
> making this work by hacking posix acls through xattr handlers we are
> building a dedicated posix acl api around the get and set inode
> operations. This removes a lot of hackiness and makes the codepaths
> easier to maintain. A lot of background can be found in [1].
>
> So far posix acls were passed as a void blob to the security and
> integrity modules. Some of them like evm then proceed to interpret the
> void pointer and convert it into the kernel internal struct posix acl
> representation to perform their integrity checking magic. This is
> obviously pretty problematic as that requires knowledge that only the
> vfs is guaranteed to have and has lead to various bugs. Add a proper
> security hook for setting posix acls and pass down the posix acls in
> their appropriate vfs format instead of hacking it through a void
> pointer stored in the uapi format.
>
> I spent considerate time in the security module and integrity
> infrastructure and audited all codepaths. EVM is the only part that
> really has restrictions based on the actual posix acl values passed
> through it (e.g., i_mode). Before this dedicated hook EVM used to translate
> from the uapi posix acl format sent to it in the form of a void pointer
> into the vfs format. This is not a good thing. Instead of hacking around in
> the uapi struct give EVM the posix acls in the appropriate vfs format and
> perform sane permissions checks that mirror what it used to to in the
> generic xattr hook.
>
> IMA doesn't have any restrictions on posix acls. When posix acls are
> changed it just wants to update its appraisal status to trigger an EVM
> revalidation.
>
> The removal of posix acls is equivalent to passing NULL to the posix set
> acl hooks. This is the same as before through the generic xattr api.
>
> Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1]
> Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
> ---
>
> Notes:
>     /* v2 */
>     unchanged
>
>     /* v3 */
>     Paul Moore <paul@paul-moore.com>:
>     - Add get, and remove acl hook
>
>     /* v4 */
>     unchanged
>
>     /* v5 */
>     Paul Moore <paul@paul-moore.com>:
>     - Move ifdef out of function body.
>
>     Mimi Zohar <zohar@linux.ibm.com>:
>     - Fix details in commit message.
>     - Add more details to kernel-doc for evm_inode_set_acl().
>
>  include/linux/evm.h                   | 23 ++++++++
>  include/linux/ima.h                   | 24 ++++++++
>  security/integrity/evm/evm_main.c     | 83 ++++++++++++++++++++++++++-
>  security/integrity/ima/ima_appraise.c |  9 +++
>  security/security.c                   | 21 ++++++-
>  5 files changed, 157 insertions(+), 3 deletions(-)

Acked-by: Paul Moore <paul@paul-moore.com> (LSM)

-- 
paul-moore.com