From: Nicolas Bouchinet <nicolas.bouchinet@clip-os.org>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org, philippe.trebuchet@ssi.gouv.fr,
dmitry.kasatkin@gmail.com, paul@paul-moore.com,
jmorris@namei.org, serge@hallyn.com, casey@schaufler-ca.com,
davem@davemloft.net, lucien.xin@gmail.com, vgoyal@redhat.com,
omosnace@redhat.com, mortonm@chromium.org,
nicolas.bouchinet@ssi.gouv.fr, mic@digikod.net,
cgzones@googlemail.com, linux-security-module@vger.kernel.org,
brauner@kernel.org, keescook@chromium.org
Subject: Re: [PATCH] evm: Correct inode_init_security hooks behaviors
Date: Fri, 21 Oct 2022 15:47:31 +0200 [thread overview]
Message-ID: <Y1Ki8838IAicXzlb@archlinux> (raw)
In-Reply-To: <5edef60c775117758ecc146f1e8b96ef1c48e3da.camel@linux.ibm.com>
Hi Mimi,
Thanks for the IMA/EVM project which I enjoy very much.
On Thu, Oct 20, 2022 at 03:51:38PM -0400, Mimi Zohar wrote:
> On Thu, 2022-10-20 at 15:55 +0200, Nicolas Bouchinet wrote:
> > From: Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>
> >
> > Fixes a NULL pointer dereference occuring in the
> > `evm_protected_xattr_common` function of the EVM LSM. The bug is
> > triggered if a `inode_init_security` hook returns 0 without initializing
> > the given `struct xattr` fields (which is the case of BPF) and if no
> > other LSM overrides thoses fields after. This also leads to memory
> > leaks.
> >
> > Adds a `call_int_hook_xattr` macro that fetches and feed the
> > `new_xattrs` array with every called hook xattr values.
> >
> > Adds a `evm_init_hmacs` function which init the EVM hmac using every
> > entry of the array contrary to `evm_init_hmac`.
>
> Only EVM portable digital signatures include all of the protected
> xattrs. Refer to commit 8c7a703ec978 ("evm: Verify portable
> signatures against all protected xattrs").
>
Sorry, maybe I was not clear enough, the proposed patch does not change the
set of the protected security xattrs initialized by the LSMs and processed by EVM.
As I explained to Paul, based on my understanding, the `security_inode_init_security()`
hook is supposed to initialize every hooked LSM security xattr and next,
if evm is enabled, protect them using a HMAC algorithm.
However, in the current implementation, the use of the `call_int_hook()` macro by
`security_inode_init_security()` overwrites the previously initialized xattr for
each iteration of the `hlist_for_each_entry()` loop.
I have noticed that more than one LSM may initialize a security xattr at a time,
eg. SELinux + BPF.
IMHO my supplementary `evm_init_hmacs()` function name is a bit confusing, I would
enjoy if you have a better proposition. Note that `evm_init_hmacs()` have the same
behavior as `evm_init_hmac()` if only one security xattr is given as a parameter.
> >
> > Fixes the `evm_inode_init_security` function to use `evm_init_hmacs`.
>
> Won't this break existing EVM hmac usage?
I might be wrong, but as far as I understand it, the only working condition for
EVM now is when only one security xattr is involved, otherwise there will have
a mismatch between the initialization and the verification.
Indeed, the verification takes into account every security xattr written in its
refering dentry.
>
> --
> thanks,
>
> Mimi
>
Thanks for your time,
Best regards,
Nicolas Bouchinet
next prev parent reply other threads:[~2022-10-21 13:47 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-20 13:55 [PATCH] evm: Correct inode_init_security hooks behaviors Nicolas Bouchinet
2022-10-20 15:02 ` Paul Moore
2022-10-21 13:12 ` Nicolas Bouchinet
2022-10-20 15:14 ` Mickaël Salaün
2022-10-21 14:04 ` Nicolas Bouchinet
2022-10-20 16:41 ` Casey Schaufler
2022-10-21 13:17 ` Nicolas Bouchinet
2022-10-20 19:51 ` Mimi Zohar
2022-10-21 13:47 ` Nicolas Bouchinet [this message]
2022-10-24 16:35 ` Mimi Zohar
2022-10-25 13:33 ` Nicolas Bouchinet
2022-10-25 14:21 ` Mimi Zohar
2022-10-25 14:22 ` Mimi Zohar
2022-10-25 15:06 ` Casey Schaufler
2022-10-25 15:58 ` Mimi Zohar
2022-10-26 8:48 ` Nicolas Bouchinet
2022-10-21 14:02 ` Roberto Sassu
2022-10-24 12:50 ` Nicolas Bouchinet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y1Ki8838IAicXzlb@archlinux \
--to=nicolas.bouchinet@clip-os.org \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=cgzones@googlemail.com \
--cc=davem@davemloft.net \
--cc=dmitry.kasatkin@gmail.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=mic@digikod.net \
--cc=mortonm@chromium.org \
--cc=nicolas.bouchinet@ssi.gouv.fr \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=philippe.trebuchet@ssi.gouv.fr \
--cc=serge@hallyn.com \
--cc=vgoyal@redhat.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.