From: Mimi Zohar <zohar@linux.ibm.com>
To: Ignaz Forster <iforster@suse.de>,
miklos@szeredi.hu, linux-unionfs@vger.kernel.org,
linux-integrity@vger.kernel.org
Subject: Re: PROBLEM: IMA xattrs not written on overlayfs
Date: Fri, 28 Sep 2018 12:54:31 -0400 [thread overview]
Message-ID: <1538153671.3713.4.camel@linux.ibm.com> (raw)
In-Reply-To: <e74f411a-d3fa-6f10-9ac6-d070f7d50220@suse.de>
On Mon, 2018-09-10 at 11:17 +0200, Ignaz Forster wrote:
> Am 07.09.18 um 20:45 schrieb Mimi Zohar:
> >> A small example for reproduction (on a system with IMA appraisal):
> >> # OVERLAYFS_TEST_DIR=`mktemp -d`
> >> # mkdir "${OVERLAYFS_TEST_DIR}/upper"
> >> # mkdir "${OVERLAYFS_TEST_DIR}/work"
> >> # mount -t overlay -o lowerdir=/etc,upperdir="${OVERLAYFS_TEST_DIR}
> >> /upper",workdir="${OVERLAYFS_TEST_DIR}/work" overlay /etc
> >> #
> >> # rm -f /etc/test.txt
> >> # echo Test > /etc/test.txt
> >> # cat /etc/test.txt
> >> cat: /etc/test.txt: Permission denied
> >> # ls -s /etc/test.txt
> >> 4 /etc/test.txt # <- The contents are there
> >> # getfattr -m . -d /etc/test.txt
> >> # # <- The hash isn't
> >>
> >
> > Thank you for providing the example. Also on a linux-4.18.0-rcX test
> > kernel, the file hash isn't being written out either. The builtin
> > "appraise_tcb" policy (eg. specified as "ima_policy=appraise_tcb" on
> > the boot command) has a tmpfs dont_appraise rule.
>
> Putting the mount point into /tmp may have been a bad example, however
> at least on my system /tmp is mounted from a btrfs subvolume. Same with
> /var, which I'm using for my personal tests.
The file size is still 0, when ima_check_last_writer() calls
ima_update_xattr(), which tries to calculate the file hash and write
it out an security.ima.
Mimi
next prev parent reply other threads:[~2018-09-28 23:19 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-07 16:49 PROBLEM: IMA xattrs not written on overlayfs Ignaz Forster
2018-09-07 18:45 ` Mimi Zohar
2018-09-10 9:17 ` Ignaz Forster
2018-09-28 16:54 ` Mimi Zohar [this message]
2018-09-28 18:24 ` Ignaz Forster
2018-09-28 18:24 ` Ignaz Forster
2018-09-28 19:06 ` Mimi Zohar
2018-09-28 19:06 ` Mimi Zohar
2018-09-28 19:37 ` Fabian Vogt
2018-10-01 9:05 ` Miklos Szeredi
2018-10-03 21:18 ` Mimi Zohar
2018-10-03 21:18 ` Mimi Zohar
2018-10-03 22:35 ` Miklos Szeredi
2018-10-04 15:52 ` Mimi Zohar
2018-10-04 15:52 ` Mimi Zohar
2018-10-05 2:57 ` Goldwyn Rodrigues
2018-10-05 10:33 ` Mimi Zohar
2018-10-05 10:33 ` Mimi Zohar
2018-10-05 17:30 ` Goldwyn Rodrigues
2018-10-05 17:30 ` Goldwyn Rodrigues
2018-10-05 17:30 ` Goldwyn Rodrigues
2018-10-07 8:22 ` Amir Goldstein
2018-10-08 12:54 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1538153671.3713.4.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=iforster@suse.de \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.