From: Fabian Vogt <fvogt@suse.de>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: Amir Goldstein <amir73il@gmail.com>,
linux-integrity <linux-integrity@vger.kernel.org>,
Miklos Szeredi <miklos@szeredi.hu>,
overlayfs <linux-unionfs@vger.kernel.org>,
Ignaz Forster <iforster@suse.de>
Subject: Re: [RFC PATCH 0/5] Fix overlayfs on EVM
Date: Wed, 13 Feb 2019 09:05:44 +0100 [thread overview]
Message-ID: <4472439.nvz8ndpTJa@linux-e202.suse.de> (raw)
In-Reply-To: <1550011897.12743.310.camel@linux.ibm.com>
Hi,
Am Dienstag, 12. Februar 2019, 23:51:37 CET schrieb Mimi Zohar:
>
> > > > If my assumptions so far are correct, then the effort for making
> > > > IMA/EVM work with overlayfs should focus around finding the
> > > > places where overlayfs uses lower level vfs interface (often
> > > > vfs_xxx helpers) and make sure that the IMA hooks are place
> > > > in those lower vfs interfaces, just like vfs_create() patch does
> > > > and like vfs_tmpfile() patch did before it.
> > >
> > > So basically turning on NOIMA for overlayfs while ensuring that integrity
> > > checks and operations still perform as expected?
> >
> > Yes.
> > As far as IMA is concerned, Overlayfs is like a filesystem user from kernel.
> > Very similar to knfsd in that respect.
>
> Fabian, if you're thinking of disabling IMA-appraisal on overlay filesystems,
> have you tried defining an appraise policy rule based on the overlayfs
> magic number (eg. dont_appraise fsmagic=0x794c7630)?
Yes, that was one of the first approaches we tested - basically switching from
a) to b) using configuration. It didn't work: Then IMA was completely
circumvented and neither were hashes updated for changed files nor were they
checked on access. That was a few months ago though, so it might have changed.
Cheers,
Fabian
> Mimi
next prev parent reply other threads:[~2019-02-13 8:05 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-11 16:53 [RFC PATCH 0/5] Fix overlayfs on EVM Ignaz Forster
2019-02-11 16:53 ` [PATCH 1/5] evm: instead of using the overlayfs i_ino, use the real i_ino Ignaz Forster
2019-02-11 16:53 ` [PATCH 2/5] Rename ima_post_create_tmpfile Ignaz Forster
2019-02-11 16:53 ` [PATCH 3/5] Execute IMA post create hook in vfs_create Ignaz Forster
2019-02-11 16:53 ` [PATCH 4/5] Ignore IMA / EVM xattrs during copy_up Ignaz Forster
2019-02-12 2:55 ` Amir Goldstein
2019-02-11 16:53 ` [PATCH 5/5] Use __vfs_getxattr to get overlayfs xattrs Ignaz Forster
2019-02-12 3:29 ` [RFC PATCH 0/5] Fix overlayfs on EVM Amir Goldstein
2019-02-12 10:55 ` Fabian Vogt
2019-02-12 13:47 ` Amir Goldstein
2019-02-12 22:51 ` Mimi Zohar
2019-02-13 8:05 ` Fabian Vogt [this message]
2019-02-13 9:13 ` Amir Goldstein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4472439.nvz8ndpTJa@linux-e202.suse.de \
--to=fvogt@suse.de \
--cc=amir73il@gmail.com \
--cc=iforster@suse.de \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.