From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 3/3] ima: use fs method to read integrity data (updated patch description)
Date: Sun, 24 Sep 2017 18:55:06 -0400 [thread overview]
Message-ID: <1506293706.3893.70.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <1505746542.4200.242.camel@linux.vnet.ibm.com>
On Mon, 2017-09-18 at 10:55 -0400, Mimi Zohar wrote:
> On Mon, 2017-09-18 at 12:13 +0200, Jan Kara wrote:
> > On Mon 18-09-17 10:19:25, Steven Whitehouse wrote:
> > > On 17/09/17 17:38, Al Viro wrote:
> > > >On Sun, Sep 17, 2017 at 09:34:01AM -0700, Linus Torvalds wrote:
> > > >>Now, I suspect most (all?) do, but that's a historical artifact rather
> > > >>than "design". In particular, the VFS layer used to do the locking for
> > > >>the filesystems, to guarantee the POSIX requirements (POSIX requires
> > > >>that writes be seen atomically).
> > > >>
> > > >>But that lock was pushed down into the filesystems, since some
> > > >>filesystems really wanted to have parallel writes (particularly for
> > > >>direct IO, where that POSIX serialization requirement doesn't exist).
> > > >>
> > > >>That's all many years ago, though. New filesystems are likely to have
> > > >>copied the pattern from old ones, but even then..
> > > >>
> > > >>Also, it's worth noting that "inode->i_rwlock" isn't even well-defined
> > > >>as a lock. You can have the question of *which* inode gets talked
> > > >>about when you have things like eoverlayfs etc. Normally it would be
> > > >>obvious, but sometimes you'd use "file->f_mapping->host" (which is the
> > > >>same thing in the simple cases), and sometimes it really wouldn't be
> > > >>obvious at all..
> > > >>
> > > >>So... I'm really not at all convinced that i_rwsem is sensible. It's
> > > >>one of those things that are "mostly right for the simple cases",
> > > >>but...
> > > >The thing pretty much common to all of them is that write() might need
> > > >to modify permissions (suid removal), which brings ->i_rwsem in one
> > > >way or another - notify_change() needs that held...
> > > For GFS2, if we are to hold the inode info constant while it is checked, we
> > > would need to take a glock (read lock in this case) across the relevant
> > > operations. The glock will be happy under i_rwlock, since we have a lock
> > > ordering that takes local locks ahead of cluster locks. I've not dug into
> > > this enough to figure out whether the current proposal will allow this to
> > > work with GFS2 though. Does IMA cache the results from the
> > > ->read_integrity() operation?
>
> Up to now, the hash calculation was stored in the iint structure,
> which is then used to extend the TPM, verify the file's integrity
> compared to the value stored in the xattr, and included in an audit
> message.
>
> A new patch set by Thiago Bauermann will add appended signature
> support, re-using the kernel module signature appended method, which
> might require re-calculating the file hash based on a different hash
> algorithm.
>
> > So I have asked Mimi about clustered filesystems before. And for now the
> > answer was that IMA for clustered filesystems is not supported (it will
> > return some error since ->integrity_read is NULL). If we would ever want to
> > support those it would require larger overhaul of the IMA architecture to
> > give filesystem more control over the locking (which is essentially what
> > Linus wants).
>
> For performance reasons, IMA is not on a write hook, but detects file
> change on the last __fput() opened for write. ?At that point, the
> cached info is reset. ?The file hash is re-calculated and written out
> as an xattr. ?On the next file access (in policy), the file hash is
> re-calculated and stored in the iint.
>
> In terms of remote/clustered/fuse filesystems, we wouldn't be on the
> __fput() path. ?Support for remote/clustered/fuse filesystems, would
> be similar to filesystems that do not support i_version. ?Meaning only
> the first file access (in policy) would be measured/appraised, but not
> subsequent ones. ?Even if we could detect file change, we would be
> dependent on the remote/clustered/fuse filesystem to inform us of the
> change. ?What type of integrity guarantees would that provide?
After thinking this over a bit, perhaps we shouldn't cache the file
integrity results for these filesystems, since we can't rely on them
to notify us of a change (eg. malicious fs), but simply re-measure/re-
validate files each time.
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Jan Kara <jack@suse.cz>, Steven Whitehouse <swhiteho@redhat.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>,
Linus Torvalds <torvalds@linux-foundation.org>,
Christoph Hellwig <hch@infradead.org>,
LSM List <linux-security-module@vger.kernel.org>,
Christoph Hellwig <hch@lst.de>,
linux-ima-devel@lists.sourceforge.net,
James Morris <jmorris@namei.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Matthew Garrett <mjg59@srcf.ucam.org>, Jan Kara <jack@suse.com>,
"Theodore Ts'o" <tytso@mit.edu>,
Andreas Dilger <adilger.kernel@dilger.ca>,
Jaegeuk Kim <jaegeuk@kernel.org>, Chao Yu <yuchao0@huawei.com>,
Bob Peterson <rpeterso@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
Dave Kleikamp <shaggy@kernel.org>,
Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>,
Mark Fasheh <mfasheh@versity.com>,
Joel Becker <jlbec@evilplan.org>,
Richard Weinberger <richard@nod.at>,
"Darrick J. Wong" <darrick.wong@oracle.com>,
Hugh Dickins <hughd@google.com>, Chris Mason <clm@fb.com>,
Sascha Hauer <s.hauer@pengutronix.de>
Subject: Re: [PATCH 3/3] ima: use fs method to read integrity data (updated patch description)
Date: Sun, 24 Sep 2017 18:55:06 -0400 [thread overview]
Message-ID: <1506293706.3893.70.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <1505746542.4200.242.camel@linux.vnet.ibm.com>
On Mon, 2017-09-18 at 10:55 -0400, Mimi Zohar wrote:
> On Mon, 2017-09-18 at 12:13 +0200, Jan Kara wrote:
> > On Mon 18-09-17 10:19:25, Steven Whitehouse wrote:
> > > On 17/09/17 17:38, Al Viro wrote:
> > > >On Sun, Sep 17, 2017 at 09:34:01AM -0700, Linus Torvalds wrote:
> > > >>Now, I suspect most (all?) do, but that's a historical artifact rather
> > > >>than "design". In particular, the VFS layer used to do the locking for
> > > >>the filesystems, to guarantee the POSIX requirements (POSIX requires
> > > >>that writes be seen atomically).
> > > >>
> > > >>But that lock was pushed down into the filesystems, since some
> > > >>filesystems really wanted to have parallel writes (particularly for
> > > >>direct IO, where that POSIX serialization requirement doesn't exist).
> > > >>
> > > >>That's all many years ago, though. New filesystems are likely to have
> > > >>copied the pattern from old ones, but even then..
> > > >>
> > > >>Also, it's worth noting that "inode->i_rwlock" isn't even well-defined
> > > >>as a lock. You can have the question of *which* inode gets talked
> > > >>about when you have things like eoverlayfs etc. Normally it would be
> > > >>obvious, but sometimes you'd use "file->f_mapping->host" (which is the
> > > >>same thing in the simple cases), and sometimes it really wouldn't be
> > > >>obvious at all..
> > > >>
> > > >>So... I'm really not at all convinced that i_rwsem is sensible. It's
> > > >>one of those things that are "mostly right for the simple cases",
> > > >>but...
> > > >The thing pretty much common to all of them is that write() might need
> > > >to modify permissions (suid removal), which brings ->i_rwsem in one
> > > >way or another - notify_change() needs that held...
> > > For GFS2, if we are to hold the inode info constant while it is checked, we
> > > would need to take a glock (read lock in this case) across the relevant
> > > operations. The glock will be happy under i_rwlock, since we have a lock
> > > ordering that takes local locks ahead of cluster locks. I've not dug into
> > > this enough to figure out whether the current proposal will allow this to
> > > work with GFS2 though. Does IMA cache the results from the
> > > ->read_integrity() operation?
>
> Up to now, the hash calculation was stored in the iint structure,
> which is then used to extend the TPM, verify the file's integrity
> compared to the value stored in the xattr, and included in an audit
> message.
>
> A new patch set by Thiago Bauermann will add appended signature
> support, re-using the kernel module signature appended method, which
> might require re-calculating the file hash based on a different hash
> algorithm.
>
> > So I have asked Mimi about clustered filesystems before. And for now the
> > answer was that IMA for clustered filesystems is not supported (it will
> > return some error since ->integrity_read is NULL). If we would ever want to
> > support those it would require larger overhaul of the IMA architecture to
> > give filesystem more control over the locking (which is essentially what
> > Linus wants).
>
> For performance reasons, IMA is not on a write hook, but detects file
> change on the last __fput() opened for write. At that point, the
> cached info is reset. The file hash is re-calculated and written out
> as an xattr. On the next file access (in policy), the file hash is
> re-calculated and stored in the iint.
>
> In terms of remote/clustered/fuse filesystems, we wouldn't be on the
> __fput() path. Support for remote/clustered/fuse filesystems, would
> be similar to filesystems that do not support i_version. Meaning only
> the first file access (in policy) would be measured/appraised, but not
> subsequent ones. Even if we could detect file change, we would be
> dependent on the remote/clustered/fuse filesystem to inform us of the
> change. What type of integrity guarantees would that provide?
After thinking this over a bit, perhaps we shouldn't cache the file
integrity results for these filesystems, since we can't rely on them
to notify us of a change (eg. malicious fs), but simply re-measure/re-
validate files each time.
Mimi
next prev parent reply other threads:[~2017-09-24 22:55 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-15 4:58 [PATCH 0/3] ima: only call integrity_kernel_read to calc file hash Mimi Zohar
2017-09-15 4:58 ` Mimi Zohar
2017-09-15 4:58 ` [PATCH 1/3] vfs: constify path argument to kernel_read_file_from_path Mimi Zohar
2017-09-15 4:58 ` Mimi Zohar
2017-09-15 18:37 ` Linus Torvalds
2017-09-15 18:37 ` Linus Torvalds
2017-09-15 4:58 ` [PATCH 2/3] integrity: replace call to integrity_read_file with kernel version Mimi Zohar
2017-09-15 4:58 ` Mimi Zohar
2017-09-15 4:58 ` [PATCH 3/3] ima: use fs method to read integrity data Mimi Zohar
2017-09-15 4:58 ` Mimi Zohar
[not found] ` <CA+55aFwVujvsdaq09O216u-uBbBbo5i_1d6aw3ksottR_uiJ6w@mail.gmail.com>
2017-09-15 9:04 ` Mimi Zohar
2017-09-15 9:04 ` Mimi Zohar
2017-09-15 9:09 ` Mimi Zohar
2017-09-15 9:09 ` Mimi Zohar
2017-09-15 18:05 ` Linus Torvalds
2017-09-15 18:05 ` Linus Torvalds
2017-09-15 14:49 ` Christoph Hellwig
2017-09-15 14:49 ` Christoph Hellwig
2017-09-15 15:21 ` Mimi Zohar
2017-09-15 15:21 ` Mimi Zohar
2017-09-15 20:25 ` [PATCH 3/3] ima: use fs method to read integrity data (updated patch description) Mimi Zohar
2017-09-15 20:25 ` Mimi Zohar
2017-09-16 18:20 ` Linus Torvalds
2017-09-16 18:20 ` Linus Torvalds
2017-09-17 5:47 ` Mimi Zohar
2017-09-17 5:47 ` Mimi Zohar
2017-09-17 15:17 ` Christoph Hellwig
2017-09-17 15:17 ` Christoph Hellwig
2017-09-17 15:28 ` Linus Torvalds
2017-09-17 15:28 ` Linus Torvalds
2017-09-17 15:37 ` Christoph Hellwig
2017-09-17 15:37 ` Christoph Hellwig
2017-09-17 16:15 ` Mimi Zohar
2017-09-17 16:15 ` Mimi Zohar
2017-09-17 16:34 ` Linus Torvalds
2017-09-17 16:34 ` Linus Torvalds
2017-09-17 16:38 ` Al Viro
2017-09-17 16:38 ` Al Viro
2017-09-18 9:19 ` Steven Whitehouse
2017-09-18 9:19 ` Steven Whitehouse
2017-09-18 10:13 ` Jan Kara
2017-09-18 10:13 ` Jan Kara
2017-09-18 14:55 ` Mimi Zohar
2017-09-18 14:55 ` Mimi Zohar
2017-09-24 22:55 ` Mimi Zohar [this message]
2017-09-24 22:55 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1506293706.3893.70.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.