From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Mimi Zohar <zohar@linux.ibm.com>,
Ignaz Forster <iforster@suse.de>,
Amir Goldstein <amir73il@gmail.com>
Cc: Goldwyn Rodrigues <rgoldwyn@suse.com>,
linux-integrity@vger.kernel.org,
Miklos Szeredi <miklos@szeredi.hu>,
linux-unionfs@vger.kernel.org
Subject: Re: EVM: Permission denied with overlayfs
Date: Wed, 19 Dec 2018 08:56:41 -0800 [thread overview]
Message-ID: <1545238601.2916.13.camel@HansenPartnership.com> (raw)
In-Reply-To: <1545233975.3954.8.camel@linux.ibm.com>
On Wed, 2018-12-19 at 10:39 -0500, Mimi Zohar wrote:
> Confirmed, in linux-4.18.y d_backing_inode returns the real i_ino,
> but newer kernels do not.
Just so we're clear, this isn't an issue with d_backing_inode(), which
hasn't changed since its introduction in 2015 and which always returns
dentry->d_inode (it was originally a helper for unionfs which got
merged even though unionfs didn't, which makes it and the comment about
upper/lower totally misleading). The problem is that overlayfs has
changed the inode it places into d_inode.
> This is a problem for EVM as the i_ino is included in the HMAC
> calculation.
Isn't the solution always to use portable signatures for containers?
It's problematic to include inode and generation with an overlay
because if you change the metadata it gets copied up => new inode
number and generation on the upper filesystem but if we were always
using the underlying inode number and generation, the signature would
then be wrong on the copied up file.
At base, most container images are sets of tar files, which are not
inode number preserving anyway, so even if we find a convoluted way to
fix the above, the EVM signature has to be portable because otherwise
its always wrong for container images.
James
next prev parent reply other threads:[~2018-12-19 16:56 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-18 19:49 EVM: Permission denied with overlayfs Ignaz Forster
2018-12-18 23:00 ` Mimi Zohar
2018-12-19 15:39 ` Mimi Zohar
2018-12-19 16:38 ` Amir Goldstein
2018-12-19 18:34 ` Mimi Zohar
2018-12-19 20:39 ` Amir Goldstein
2018-12-20 3:42 ` Goldwyn Rodrigues
2018-12-20 7:15 ` Amir Goldstein
2018-12-19 16:56 ` James Bottomley [this message]
2018-12-19 18:15 ` Mimi Zohar
2018-12-19 19:34 ` James Bottomley
2018-12-19 20:12 ` Amir Goldstein
2018-12-19 21:02 ` Mimi Zohar
2018-12-19 22:08 ` James Bottomley
2018-12-20 14:55 ` Mimi Zohar
2018-12-20 19:24 ` James Bottomley
2018-12-19 22:11 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1545238601.2916.13.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=amir73il@gmail.com \
--cc=iforster@suse.de \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=rgoldwyn@suse.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).