Re: [PATCH] overlayfs: Trigger file re-evaluation by IMA / EVM after writes

[Mimi Zohar <zohar@linux.ibm.com>]

On Thu, 2023-05-18 at 16:46 -0400, Paul Moore wrote:
> On Fri, Apr 21, 2023 at 10:44 AM Mimi Zohar <zohar@linux.ibm.com> wrote:
> > On Fri, 2023-04-07 at 09:29 -0400, Jeff Layton wrote:
> > > > > > >
> > > > > > > I would ditch the original proposal in favor of this 2-line patch shown here:
> > > > > > >
> > > > > > > https://lore.kernel.org/linux-integrity/a95f62ed-8b8a-38e5-e468-ecbde3b221af@linux.ibm.com/T/#m3bd047c6e5c8200df1d273c0ad551c645dd43232
> > > >
> > > > We should cool it with the quick hacks to fix things. :)
> > > >
> > >
> > > Yeah. It might fix this specific testcase, but I think the way it uses
> > > the i_version is "gameable" in other situations. Then again, I don't
> > > know a lot about IMA in this regard.
> > >
> > > When is it expected to remeasure? If it's only expected to remeasure on
> > > a close(), then that's one thing. That would be a weird design though.
> >
> > Historical background:
> >
> > Prior to IMA being upstreamed there was a lot of discussion about how
> > much/how frequently to measure files.  Re-measuring files after each
> > write would impact performance.  Instead of re-measuring files after
> > each write, if a file already opened for write was opened for read
> > (open writers) or a file already opened for read was opened for write
> > (Time of Measure/Time of Use) the IMA meausrement list was invalidated
> > by including a violation record in the measurement list.
> >
> > Only the BPRM hook prevents a file from being opened for write.
> >
> > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > > Ok, I think I get it. IMA is trying to use the i_version from the
> > > > > > overlayfs inode.
> > > > > >
> > > > > > I suspect that the real problem here is that IMA is just doing a bare
> > > > > > inode_query_iversion. Really, we ought to make IMA call
> > > > > > vfs_getattr_nosec (or something like it) to query the getattr routine in
> > > > > > the upper layer. Then overlayfs could just propagate the results from
> > > > > > the upper layer in its response.
> > > > > >
> > > > > > That sort of design may also eventually help IMA work properly with more
> > > > > > exotic filesystems, like NFS or Ceph.
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > > Maybe something like this? It builds for me but I haven't tested it. It
> > > > > looks like overlayfs already should report the upper layer's i_version
> > > > > in getattr, though I haven't tested that either:
> > > > >
> > > > > -----------------------8<---------------------------
> > > > >
> > > > > [PATCH] IMA: use vfs_getattr_nosec to get the i_version
> > > > >
> > > > > IMA currently accesses the i_version out of the inode directly when it
> > > > > does a measurement. This is fine for most simple filesystems, but can be
> > > > > problematic with more complex setups (e.g. overlayfs).
> > > > >
> > > > > Make IMA instead call vfs_getattr_nosec to get this info. This allows
> > > > > the filesystem to determine whether and how to report the i_version, and
> > > > > should allow IMA to work properly with a broader class of filesystems in
> > > > > the future.
> > > > >
> > > > > Reported-by: Stefan Berger <stefanb@linux.ibm.com>
> > > > > Signed-off-by: Jeff Layton <jlayton@kernel.org>
> > > > > ---
> > > >
> > > > So, I think we want both; we want the ovl_copyattr() and the
> > > > vfs_getattr_nosec() change:
> > > >
> > > > (1) overlayfs should copy up the inode version in ovl_copyattr(). That
> > > >     is in line what we do with all other inode attributes. IOW, the
> > > >     overlayfs inode's i_version counter should aim to mirror the
> > > >     relevant layer's i_version counter. I wouldn't know why that
> > > >     shouldn't be the case. Asking the other way around there doesn't
> > > >     seem to be any use for overlayfs inodes to have an i_version that
> > > >     isn't just mirroring the relevant layer's i_version.
> > >
> > > It's less than ideal to do this IMO, particularly with an IS_I_VERSION
> > > inode.
> > >
> > > You can't just copy up the value from the upper. You'll need to call
> > > inode_query_iversion(upper_inode), which will flag the upper inode for a
> > > logged i_version update on the next write. IOW, this could create some
> > > (probably minor) metadata write amplification in the upper layer inode
> > > with IS_I_VERSION inodes.
> > >
> > >
> > > > (2) Jeff's changes for ima to make it rely on vfs_getattr_nosec().
> > > >     Currently, ima assumes that it will get the correct i_version from
> > > >     an inode but that just doesn't hold for stacking filesystem.
> > > >
> > > > While (1) would likely just fix the immediate bug (2) is correct and
> > > > _robust_. If we change how attributes are handled vfs_*() helpers will
> > > > get updated and ima with it. Poking at raw inodes without using
> > > > appropriate helpers is much more likely to get ima into trouble.
> > >
> > > This will fix it the right way, I think (assuming it actually works),
> > > and should open the door for IMA to work properly with networked
> > > filesystems that support i_version as well.
> >
> > On a local filesystem, there are guarantees that the calculated file
> > hash is that of the file being used.  Reminder IMA reads a file, page
> > size chunk at a time into a single buffer, calculating the file hash.
> > Once the file hash is calculated, the memory is freed.
> >
> > There are no guarantees on a fuse filesystem, for example, that the
> > original file read and verified is the same as the one being executed.
> > I'm not sure that the integrity guarantees of a file on a remote
> > filesystem will be the same as those on a local file system.
> >
> > >
> > > Note that there Stephen is correct that calling getattr is probably
> > > going to be less efficient here since we're going to end up calling
> > > generic_fillattr unnecessarily, but I still think it's the right thing
> > > to do.
> > >
> > > If it turns out to cause measurable performance regressions though,
> > > maybe we can look at adding a something that still calls ->getattr if it
> > > exists but only returns the change_cookie value.
> >
> > Sure.  For now,
> >
> > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> 
> I'm going through my review queue to make sure I haven't missed
> anything and this thread popped up ... Stefan, Mimi, did you get a fix
> into an upstream tree somewhere?  If not, is it because you are
> waiting on a review/merge from me into the LSM tree?

Sorry for the delay.  Between vacation and LSS, I just started testing
Jeff Layton's patch.

Mimi