Re: [PATCH v3 12/29] integrity: implement get and set acl hook

[Christian Brauner <brauner@kernel.org>]

On Thu, Sep 29, 2022 at 07:25:46PM -0400, Mimi Zohar wrote:
> Hi Christian,
> 
> On Wed, 2022-09-28 at 18:08 +0200, Christian Brauner wrote:
> > The current way of setting and getting posix acls through the generic
> > xattr interface is error prone and type unsafe. The vfs needs to
> > interpret and fixup posix acls before storing or reporting it to
> > userspace. Various hacks exist to make this work. The code is hard to
> > understand and difficult to maintain in it's current form. Instead of
> > making this work by hacking posix acls through xattr handlers we are
> > building a dedicated posix acl api around the get and set inode
> > operations. This removes a lot of hackiness and makes the codepaths
> > easier to maintain. A lot of background can be found in [1].
> > 
> > So far posix acls were passed as a void blob to the security and
> > integrity modules. Some of them like evm then proceed to interpret the
> > void pointer and convert it into the kernel internal struct posix acl
> > representation to perform their integrity checking magic. This is
> > obviously pretty problematic as that requires knowledge that only the
> > vfs is guaranteed to have and has lead to various bugs. Add a proper
> > security hook for setting posix acls and pass down the posix acls in
> > their appropriate vfs format instead of hacking it through a void
> > pointer stored in the uapi format.
> > 
> > I spent considerate time in the security module and integrity
> > infrastructure and audited all codepaths. EVM is the only part that
> > really has restrictions based on the actual posix acl values passed
> > through it
> 
> (e.g. i_mode).
> 
> > Before this dedicated hook EVM used to translate from the
> > uapi posix acl format sent to it in the form of a void pointer into the
> > vfs format. This is not a good thing. Instead of hacking around in the
> > uapi struct give EVM the posix acls in the appropriate vfs format and
> > perform sane permissions checks that mirror what it used to to in the
> > generic xattr hook.
> > 
> > IMA doesn't have any restrictions on posix acls. When posix acls are
> > changed it just wants to update its appraisal status.
> 
> to trigger an EVM re-validation.
> 
> > The removal of posix acls is equivalent to passing NULL to the posix set
> > acl hooks. This is the same as before through the generic xattr api.
> > 
> > Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1]
> > Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
> 
> 
> > ---
> 
> > diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
> > index 23d484e05e6f..7904786b610f 100644
> > --- a/security/integrity/evm/evm_main.c
> > +++ b/security/integrity/evm/evm_main.c
> > @@ -8,7 +8,7 @@
> >   *
> >   * File: evm_main.c
> >   *	implements evm_inode_setxattr, evm_inode_post_setxattr,
> > - *	evm_inode_removexattr, and evm_verifyxattr
> > + *	evm_inode_removexattr, evm_verifyxattr, and evm_inode_set_acl.
> >   */
> >  
> >  #define pr_fmt(fmt) "EVM: "fmt
> > @@ -670,6 +670,74 @@ int evm_inode_removexattr(struct user_namespace *mnt_userns,
> >  	return evm_protect_xattr(mnt_userns, dentry, xattr_name, NULL, 0);
> >  }
> >  
> > +static int evm_inode_set_acl_change(struct user_namespace *mnt_userns,
> > +				    struct dentry *dentry, const char *name,
> > +				    struct posix_acl *kacl)
> > +{
> > +#ifdef CONFIG_FS_POSIX_ACL
> > +	int rc;
> > +
> > +	umode_t mode;
> > +	struct inode *inode = d_backing_inode(dentry);
> > +
> > +	if (!kacl)
> > +		return 1;
> > +
> > +	rc = posix_acl_update_mode(mnt_userns, inode, &mode, &kacl);
> > +	if (rc || (inode->i_mode != mode))
> 
> acl_res in the existing evm_xattr_acl_change() code is based on the
> init_user_ns.  Is that the same here?   Is it guaranteed?

Using init_user_ns in the old evm_xattr_acl_change() helper is not about
correctness it's simply about getting the uapi format into a vfs struct
posix_acl to look at the mode.

For the new hook that question becomes moot as in the new clean api
evm/ima receives a struct posix_acl from the vfs. The actual code that
interprets the mode uses the mnt_userns in both.

The old evm_xattr_acl_change() helper goes away in a later patch because
it can't be reached anymore after we added dedicated acl hooks.

> 
> > +		return 1;
> > +#endif
> > +	return 0;
> > +}
> > +
> > +/**
> > + * evm_inode_set_acl - protect the EVM extended attribute for posix acls
> 
> ^from posix acls

Fixed.

> 
> 
> > + * @mnt_userns: user namespace of the idmapped mount
> > + * @dentry: pointer to the affected dentry
> > + * @acl_name: name of the posix acl
> > + * @kacl: pointer to the posix acls
> 
> Prevent modifying posix acls causing the EVM HMAC to be re-calculated
> and 'security.evm' xattr updated, unless the existing 'security.evm' is
> valid.

Added, thanks.