From: "Theodore Y. Ts'o" <tytso@mit.edu>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mimi Zohar <zohar@linux.ibm.com>,
Christoph Hellwig <hch@infradead.org>,
Roberto Sassu <roberto.sassu@huawei.com>,
"linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Silviu Vlasceanu <Silviu.Vlasceanu@huawei.com>,
"stable@vger.kernel.org" <stable@vger.kernel.org>,
"viro@zeniv.linux.org.uk" <viro@zeniv.linux.org.uk>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>
Subject: Re: [RESEND][PATCH] ima: Set and clear FMODE_CAN_READ in ima_calc_file_hash()
Date: Tue, 17 Nov 2020 13:54:25 -0500 [thread overview]
Message-ID: <20201117185425.GG445084@mit.edu> (raw)
In-Reply-To: <CAHk-=wih-ibNUxeiKpuKrw3Rd2=QEAZ8zgRWt_CORAjbZykRWQ@mail.gmail.com>
On Tue, Nov 17, 2020 at 10:23:58AM -0800, Linus Torvalds wrote:
> On Mon, Nov 16, 2020 at 10:35 AM Mimi Zohar <zohar@linux.ibm.com> wrote:
> >
> > We need to differentiate between signed files, which by definition are
> > immutable, and those that are mutable. Appending to a mutable file,
> > for example, would result in the file hash not being updated.
> > Subsequent reads would fail.
>
> Why would that require any reading of the file at all AT WRITE TIME?
>
> Don't do it. Really.
>
> When opening the file write-only, you just invalidate the hash. It
> doesn't matter anyway - you're only writing.
>
> Later on, when reading, only at that point does the hash matter, and
> then you can do the verification.
>
> Although honestly, I don't even see the point. You know the hash won't
> match, if you wrote to the file.
I think the use case the IMA folks might be thinking about is where
they want to validate the file at open time, *before* the userspace
application starts writing to the file, since there might be some
subtle attacks where Boris changes the first part of the file before
Alice appends "I agree" to said file.
Of course, Boris will be able to modify the file after Alice has
modified it, so it's a bit of a moot point, but one could imagine a
scenario where the file is modified while the system is not running
(via an evil hotel maid) and then after Alice modifies the file, of
*course* the hash will be invalid, so no one would notice. A sane
application would have read the file to make sure it contained the
proper contents before appending "I agree" to said file, so it's a bit
of an esoteric point.
The other case I could imagine is if the file is marked execute-only,
without read access, and IMA wanted to be able to read the file to
check the hash. But we already make an execption for allowing the
file to be read during page faults, so that's probably less
controversial.
- Ted
next prev parent reply other threads:[~2020-11-17 18:55 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-13 8:01 [RESEND][PATCH] ima: Set and clear FMODE_CAN_READ in ima_calc_file_hash() Roberto Sassu
2020-11-13 15:53 ` Mimi Zohar
2020-11-14 11:10 ` Christoph Hellwig
2020-11-16 8:52 ` Roberto Sassu
2020-11-16 16:22 ` Christoph Hellwig
2020-11-16 16:46 ` Mimi Zohar
2020-11-16 17:37 ` Linus Torvalds
2020-11-16 17:41 ` Christoph Hellwig
2020-11-16 18:09 ` Linus Torvalds
2020-11-16 18:35 ` Mimi Zohar
2020-11-17 18:23 ` Linus Torvalds
2020-11-17 18:54 ` Theodore Y. Ts'o [this message]
2020-11-17 23:23 ` Mimi Zohar
2020-11-17 23:29 ` Linus Torvalds
2020-11-17 23:36 ` Linus Torvalds
2020-11-18 18:28 ` Mimi Zohar
2020-11-20 12:52 ` Roberto Sassu
2020-11-16 18:21 ` Mimi Zohar
2020-11-16 18:08 ` Al Viro
2020-11-16 18:49 ` Mimi Zohar
2020-11-17 12:29 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201117185425.GG445084@mit.edu \
--to=tytso@mit.edu \
--cc=Silviu.Vlasceanu@huawei.com \
--cc=hch@infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).