From mboxrd@z Thu Jan 1 00:00:00 1970 From: zohar@linux.vnet.ibm.com (Mimi Zohar) Date: Fri, 12 May 2017 17:09:36 -0400 Subject: [PATCH] security/ima: use fs method to read integrity data In-Reply-To: <20170511081659.GA20214@lst.de> References: <20170510064507.1764-1-hch@lst.de> <20170510064507.1764-2-hch@lst.de> <20170510132359.GA22549@lst.de> <1494450047.3006.28.camel@linux.vnet.ibm.com> <20170511081659.GA20214@lst.de> Message-ID: <1494623376.4997.28.camel@linux.vnet.ibm.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Thu, 2017-05-11 at 10:16 +0200, Christoph Hellwig wrote: > On Wed, May 10, 2017 at 05:00:47PM -0400, Mimi Zohar wrote: > > Without i_version support the file is measured/appraised once. ?With > > i_version support it will be re-measured/appraised. As a file system > > is mounted/remounted, some sort of message should be emitted > > indicating whether i_version is supported. > > You can check for (sb->s_flags & MS_I_VERSION) to see if it's supported. Yes, I defined a new LSM hook to catch the new mounts, but there are lots of mounts, even after to limiting it to non-kernel mounts (MS_KERNMOUNT) and only checking if the MS_I_VERSION is set on filesystems mounted read-write. ?It would be nice if there was a way of saying not pseudo filesystems (eg. CGROUP_SUPER_MAGIC, DEBUGFS_MAGIC, DEVPTS_SUPER_MAGIC, PROC_SUPER_MAGIC, SECURITYFS_MAGIC, SYSFS_MAGIC, etc). > > > ?That does not imply that > > there is no value in measuring/appraising the file only once. > > > > With this patch, the "opt-in" behavior, is only for measurement, not > > appraisal. ?For appraisal, it still enforces file hash/signature > > verification, as it should, based on policy. > > > > Christoph, could we call ->read_iter() in the NULL case as Boaz > > suggested? > > No - that way you get deadlocks for every fs that uses i_rwsem in > ->read_iter, which is perfectly valid behavior. > > We can set ->integrity_read for every file system that's been tested > with IMA, though. Do you have a list of known-good file systems? In addition to the ones you've already defined, we need definitions in ramfs/file-mmu.c and file-nommu.c, and the corresponding tmpfs, to get the initial measurements from the initramfs. ? We know that stacked filesystems have similar locking problems. ?I'm loop back mounting each filesystem and testing to see if files are being measured/re-measured properly. ?I haven't finished yet, but there haven't been any problems so far. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:43319 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1758736AbdELVKd (ORCPT ); Fri, 12 May 2017 17:10:33 -0400 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v4CL9d9c106389 for ; Fri, 12 May 2017 17:10:33 -0400 Received: from e23smtp04.au.ibm.com (e23smtp04.au.ibm.com [202.81.31.146]) by mx0a-001b2d01.pphosted.com with ESMTP id 2adg80a8x9-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Fri, 12 May 2017 17:10:32 -0400 Received: from localhost by e23smtp04.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sat, 13 May 2017 07:10:29 +1000 Subject: Re: [PATCH] security/ima: use fs method to read integrity data From: Mimi Zohar To: Christoph Hellwig Cc: Boaz Harrosh , Al Viro , linux-fsdevel@vger.kernel.org, linux-ima-devel@lists.sourceforge.net, linux-security-module@vger.kernel.org Date: Fri, 12 May 2017 17:09:36 -0400 In-Reply-To: <20170511081659.GA20214@lst.de> References: <20170510064507.1764-1-hch@lst.de> <20170510064507.1764-2-hch@lst.de> <20170510132359.GA22549@lst.de> <1494450047.3006.28.camel@linux.vnet.ibm.com> <20170511081659.GA20214@lst.de> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <1494623376.4997.28.camel@linux.vnet.ibm.com> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Thu, 2017-05-11 at 10:16 +0200, Christoph Hellwig wrote: > On Wed, May 10, 2017 at 05:00:47PM -0400, Mimi Zohar wrote: > > Without i_version support the file is measured/appraised once.  With > > i_version support it will be re-measured/appraised. As a file system > > is mounted/remounted, some sort of message should be emitted > > indicating whether i_version is supported. > > You can check for (sb->s_flags & MS_I_VERSION) to see if it's supported. Yes, I defined a new LSM hook to catch the new mounts, but there are lots of mounts, even after to limiting it to non-kernel mounts (MS_KERNMOUNT) and only checking if the MS_I_VERSION is set on filesystems mounted read-write.  It would be nice if there was a way of saying not pseudo filesystems (eg. CGROUP_SUPER_MAGIC, DEBUGFS_MAGIC, DEVPTS_SUPER_MAGIC, PROC_SUPER_MAGIC, SECURITYFS_MAGIC, SYSFS_MAGIC, etc). > > >  That does not imply that > > there is no value in measuring/appraising the file only once. > > > > With this patch, the "opt-in" behavior, is only for measurement, not > > appraisal.  For appraisal, it still enforces file hash/signature > > verification, as it should, based on policy. > > > > Christoph, could we call ->read_iter() in the NULL case as Boaz > > suggested? > > No - that way you get deadlocks for every fs that uses i_rwsem in > ->read_iter, which is perfectly valid behavior. > > We can set ->integrity_read for every file system that's been tested > with IMA, though. Do you have a list of known-good file systems? In addition to the ones you've already defined, we need definitions in ramfs/file-mmu.c and file-nommu.c, and the corresponding tmpfs, to get the initial measurements from the initramfs.   We know that stacked filesystems have similar locking problems.  I'm loop back mounting each filesystem and testing to see if files are being measured/re-measured properly.  I haven't finished yet, but there haven't been any problems so far. Mimi