From: Mimi Zohar <zohar@linux.ibm.com>
To: Amir Goldstein <amir73il@gmail.com>
Cc: iforster@suse.de, overlayfs <linux-unionfs@vger.kernel.org>,
Miklos Szeredi <miklos@szeredi.hu>
Subject: Re: [Fwd: Re: EVM: Permission denied with overlayfs]
Date: Thu, 20 Dec 2018 11:39:09 -0500 [thread overview]
Message-ID: <1545323949.4077.36.camel@linux.ibm.com> (raw)
In-Reply-To: <CAOQ4uxh=bx_XKjCc88O5+Z_+xJvudp8PgWkaOds1JUEhmKZL3A@mail.gmail.com>
On Thu, 2018-12-20 at 17:56 +0200, Amir Goldstein wrote:
> On Thu, Dec 20, 2018 at 4:20 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> >
> > On Thu, 2018-12-20 at 14:04 +0200, Amir Goldstein wrote:
> >
> > > > > 2. What does the call stack look like when failing to verify the hash
> > > > > on oo.text?
> > > >
> > > > *** Cat of same file on merged dir fails (ino != 258)
> > > > cat: overlay/merged/abc.text: Permission denied
> > > >
> > > > [ 476.770869] evm: ino: 38593 258 38593 abc.text
> > > > [ 476.770876] evm: ino: 38593
> > > > [ 476.770883] CPU: 3 PID: 3928 Comm: cat Not tainted 4.20.0-rc2+ #1287
> > > > [ 476.770887] Hardware name: LENOVO 20BTS1NJ00/20BTS1NJ00, BIOS N14ET48W (1.26 ) 06/11/2018
> > > > [ 476.770890] Call Trace:
> > > > [ 476.770906] dump_stack+0x46/0x5b
> > > > [ 476.770913] hmac_add_misc+0x171/0x180
> > > > [ 476.770920] evm_calc_hmac_or_hash+0x1c9/0x280
> > > > [ 476.770927] evm_verify_hmac+0x11f/0x2b0
> > > > [ 476.770933] ? evm_protected_xattr+0x6c/0x90
> > > > [ 476.770940] ima_appraise_measurement+0x83/0x510
> > > > [ 476.770948] process_measurement+0x646/0x6f0
> > > > [ 476.770955] ? selinux_file_open+0xa8/0xc0
> > > > [ 476.770961] ? do_dentry_open+0x25c/0x340
> > > > [ 476.770966] ? open_with_fake_path+0x48/0x70
> > > > [ 476.770974] ? ovl_open_realfile+0x56/0xe0
> > > > [ 476.770981] ima_file_check+0x4a/0x60
> > >
> > > If you let this check return success even though appraisal failed,
> > > you will see that ovl_open_realfile() will end up calling ima_file_check()
> > > again with the "real" file and this check should not fail.
> > > Hence, my suggestion to mark the overlayfs sb with SB_NOIMA.
> >
> > There's all sorts of caching of results involved in both EVM and IMA.
> > Not so easy to modify. Assuming that I properly removed the caching,
> > I'm not seeing another call to ima_file_check.
> >
>
> Mmm right. open_with_fake_path() doesn't call ima_file_check(). My bad.
>
> My intuition is that all d_backing_inode() calls under security/integrity
> should be converted to d_real_inode(). After all, users of d_backing_inode()
> probably want the lower/upper inode, because that is what the helper
> claims to do. The reason things worked in v4.18 is because
> d_backing_inode(file_dentry(file)) was the real inode.
>
> My intuition is that this statement is true for other subsystems that
> use d_backing_inode() as well. We could have changed the
> implementation of d_backing_inode() to call d_real_inode()
> to potentially fix all those subsystems with less churn, but it is hard to
> audit all caller to make sure this is correct for all of them.
> In fact, it is probably not correct for code in fs/*.c.
>
> So the safer approach is to fix one subsystem at a time by converting
> callers to d_real_inode() and in the end get rid of d_backing_inode().
>
> Mimi, please try if this fixes EVM over overlayfs.
Yes, changing the hmac_add_misc() call in evm_calc_hmac_or_hash()
fixes the problem.
Mimi
>
> Miklos, do you have other thoughts about how to address this issue?
>
> Thanks,
> Amir.
>
prev parent reply other threads:[~2018-12-20 16:39 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-18 19:49 EVM: Permission denied with overlayfs Ignaz Forster
2018-12-18 23:00 ` Mimi Zohar
2018-12-19 15:39 ` Mimi Zohar
2018-12-19 16:38 ` Amir Goldstein
2018-12-19 18:34 ` Mimi Zohar
2018-12-19 20:39 ` Amir Goldstein
2018-12-20 3:42 ` Goldwyn Rodrigues
2018-12-20 7:15 ` Amir Goldstein
2018-12-19 16:56 ` James Bottomley
2018-12-19 18:15 ` Mimi Zohar
2018-12-19 19:34 ` James Bottomley
2018-12-19 20:12 ` Amir Goldstein
2018-12-19 21:02 ` Mimi Zohar
2018-12-19 22:08 ` James Bottomley
2018-12-20 14:55 ` Mimi Zohar
2018-12-20 19:24 ` James Bottomley
2018-12-19 22:11 ` James Bottomley
[not found] ` <1545234449.3954.14.camel@linux.ibm.com>
[not found] ` <CAOQ4uxgG9yu-dOgOZyFnck+=ZjsoDe0SCJ6S-4+s0kB6mH2Maw@mail.gmail.com>
[not found] ` <1545245504.3954.51.camel@linux.ibm.com>
2018-12-19 20:47 ` [Fwd: Re: EVM: Permission denied with overlayfs] Amir Goldstein
2018-12-20 10:53 ` Mimi Zohar
2018-12-20 12:04 ` Amir Goldstein
2018-12-20 14:20 ` Mimi Zohar
2018-12-20 15:56 ` Amir Goldstein
2018-12-20 16:39 ` Mimi Zohar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1545323949.4077.36.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=amir73il@gmail.com \
--cc=iforster@suse.de \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.