From: Mimi Zohar <zohar@linux.ibm.com>
To: Ignaz Forster <iforster@suse.de>,
miklos@szeredi.hu, linux-unionfs@vger.kernel.org,
linux-integrity@vger.kernel.org
Cc: Fabian Vogt <fvogt@suse.de>
Subject: Re: PROBLEM: IMA xattrs not written on overlayfs
Date: Fri, 28 Sep 2018 15:06:00 -0400 [thread overview]
Message-ID: <1538161560.3702.12.camel@linux.ibm.com> (raw)
In-Reply-To: <0e1ba67f-3091-2d56-a464-07e1a8251e5e@suse.de>
On Fri, 2018-09-28 at 20:24 +0200, Ignaz Forster wrote:
> Am 28.09.18 um 18:54 schrieb Mimi Zohar:
> > On Mon, 2018-09-10 at 11:17 +0200, Ignaz Forster wrote:
> >> Am 07.09.18 um 20:45 schrieb Mimi Zohar:
> >>>> A small example for reproduction (on a system with IMA appraisal):
> >>>> # OVERLAYFS_TEST_DIR=`mktemp -d`
> >>>> # mkdir "${OVERLAYFS_TEST_DIR}/upper"
> >>>> # mkdir "${OVERLAYFS_TEST_DIR}/work"
> >>>> # mount -t overlay -o lowerdir=/etc,upperdir="${OVERLAYFS_TEST_DIR}
> >>>> /upper",workdir="${OVERLAYFS_TEST_DIR}/work" overlay /etc
> >>>> #
> >>>> # rm -f /etc/test.txt
> >>>> # echo Test > /etc/test.txt
> >>>> # cat /etc/test.txt
> >>>> cat: /etc/test.txt: Permission denied
> >>>> # ls -s /etc/test.txt
> >>>> 4 /etc/test.txt # <- The contents are there
> >>>> # getfattr -m . -d /etc/test.txt
> >>>> # # <- The hash isn't
> >>>>
> > The file size is still 0, when ima_check_last_writer() calls
> > ima_update_xattr(), which tries to calculate the file hash and write
> > it out an security.ima.
>
> We found out that when forcibly setting the read flag in
> ovl_open_realfile as seen in the attached patch the IMA attributes will
> be set correctly again. It seems IMA cannot read the file contents and
> thus cannot create the hash any more.
>
> This is obviously not ready for production, but the best I currently have.
Yeah, having file read access is definitely required to calculate a
file hash. If it helps, you could make this change in IMA and then
revert it after calculating the file hash.
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Ignaz Forster <iforster@suse.de>,
miklos@szeredi.hu, linux-unionfs@vger.kernel.org,
linux-integrity@vger.kernel.org
Cc: Fabian Vogt <fvogt@suse.de>
Subject: Re: PROBLEM: IMA xattrs not written on overlayfs
Date: Fri, 28 Sep 2018 15:06:00 -0400 [thread overview]
Message-ID: <1538161560.3702.12.camel@linux.ibm.com> (raw)
In-Reply-To: <0e1ba67f-3091-2d56-a464-07e1a8251e5e@suse.de>
On Fri, 2018-09-28 at 20:24 +0200, Ignaz Forster wrote:
> Am 28.09.18 um 18:54 schrieb Mimi Zohar:
> > On Mon, 2018-09-10 at 11:17 +0200, Ignaz Forster wrote:
> >> Am 07.09.18 um 20:45 schrieb Mimi Zohar:
> >>>> A small example for reproduction (on a system with IMA appraisal):
> >>>> # OVERLAYFS_TEST_DIR=`mktemp -d`
> >>>> # mkdir "${OVERLAYFS_TEST_DIR}/upper"
> >>>> # mkdir "${OVERLAYFS_TEST_DIR}/work"
> >>>> # mount -t overlay -o lowerdir=/etc,upperdir="${OVERLAYFS_TEST_DIR}
> >>>> /upper",workdir="${OVERLAYFS_TEST_DIR}/work" overlay /etc
> >>>> #
> >>>> # rm -f /etc/test.txt
> >>>> # echo Test > /etc/test.txt
> >>>> # cat /etc/test.txt
> >>>> cat: /etc/test.txt: Permission denied
> >>>> # ls -s /etc/test.txt
> >>>> 4 /etc/test.txt # <- The contents are there
> >>>> # getfattr -m . -d /etc/test.txt
> >>>> # # <- The hash isn't
> >>>>
> > The file size is still 0, when ima_check_last_writer() calls
> > ima_update_xattr(), which tries to calculate the file hash and write
> > it out an security.ima.
>
> We found out that when forcibly setting the read flag in
> ovl_open_realfile as seen in the attached patch the IMA attributes will
> be set correctly again. It seems IMA cannot read the file contents and
> thus cannot create the hash any more.
>
> This is obviously not ready for production, but the best I currently have.
Yeah, having file read access is definitely required to calculate a
file hash. If it helps, you could make this change in IMA and then
revert it after calculating the file hash.
Mimi
next prev parent reply other threads:[~2018-09-29 1:31 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-07 16:49 PROBLEM: IMA xattrs not written on overlayfs Ignaz Forster
2018-09-07 18:45 ` Mimi Zohar
2018-09-10 9:17 ` Ignaz Forster
2018-09-28 16:54 ` Mimi Zohar
2018-09-28 18:24 ` Ignaz Forster
2018-09-28 18:24 ` Ignaz Forster
2018-09-28 19:06 ` Mimi Zohar [this message]
2018-09-28 19:06 ` Mimi Zohar
2018-09-28 19:37 ` Fabian Vogt
2018-10-01 9:05 ` Miklos Szeredi
2018-10-03 21:18 ` Mimi Zohar
2018-10-03 21:18 ` Mimi Zohar
2018-10-03 22:35 ` Miklos Szeredi
2018-10-04 15:52 ` Mimi Zohar
2018-10-04 15:52 ` Mimi Zohar
2018-10-05 2:57 ` Goldwyn Rodrigues
2018-10-05 10:33 ` Mimi Zohar
2018-10-05 10:33 ` Mimi Zohar
2018-10-05 17:30 ` Goldwyn Rodrigues
2018-10-05 17:30 ` Goldwyn Rodrigues
2018-10-05 17:30 ` Goldwyn Rodrigues
2018-10-07 8:22 ` Amir Goldstein
2018-10-08 12:54 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1538161560.3702.12.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=fvogt@suse.de \
--cc=iforster@suse.de \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.