From: Fan Wu <wufan@linux.microsoft.com>
To: luca.boccassi@gmail.com, linux-security-module@vger.kernel.org
Cc: paul@paul-moore.com
Subject: Re: [PATCH v3 2/2] ipe: also reject policy updates with the same version
Date: Wed, 25 Sep 2024 14:22:19 -0700 [thread overview]
Message-ID: <4fc9a356-abf1-476f-ac69-7fa47cbee52c@linux.microsoft.com> (raw)
In-Reply-To: <20240925210134.530989-2-luca.boccassi@gmail.com>
On 9/25/2024 2:01 PM, luca.boccassi@gmail.com wrote:
> From: Luca Boccassi <bluca@debian.org>
>
> Currently IPE accepts an update that has the same version as the policy
> being updated, but it doesn't make it a no-op nor it checks that the
> old and new policyes are the same. So it is possible to change the
> content of a policy, without changing its version. This is very
> confusing from userspace when managing policies.
> Instead change the update logic to reject updates that have the same
> version with ESTALE, as that is much clearer and intuitive behaviour.
>
> Signed-off-by: Luca Boccassi <bluca@debian.org>
> Reviewed-by: Serge Hallyn <serge@hallyn.com>
> ---
> v2: also update documentation
> v3: fix typo in documentation
>
> Documentation/admin-guide/LSM/ipe.rst | 2 +-
> security/ipe/policy.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/Documentation/admin-guide/LSM/ipe.rst b/Documentation/admin-guide/LSM/ipe.rst
> index 47323494d119..f93a467db628 100644
> --- a/Documentation/admin-guide/LSM/ipe.rst
> +++ b/Documentation/admin-guide/LSM/ipe.rst
> @@ -269,7 +269,7 @@ in the kernel. This file is write-only and accepts a PKCS#7 signed
> policy. Two checks will always be performed on this policy: First, the
> ``policy_names`` must match with the updated version and the existing
> version. Second the updated policy must have a policy version greater than
> -or equal to the currently-running version. This is to prevent rollback attacks.
> +the currently-running version. This is to prevent rollback attacks.
>
> The ``delete`` file is used to remove a policy that is no longer needed.
> This file is write-only and accepts a value of ``1`` to delete the policy.
> diff --git a/security/ipe/policy.c b/security/ipe/policy.c
> index 3a0069c6d5af..45f7d6a0ed23 100644
> --- a/security/ipe/policy.c
> +++ b/security/ipe/policy.c
> @@ -106,7 +106,7 @@ int ipe_update_policy(struct inode *root, const char *text, size_t textlen,
> goto err;
> }
>
> - if (ver_to_u64(old) > ver_to_u64(new)) {
> + if (ver_to_u64(old) >= ver_to_u64(new)) {
> rc = -ESTALE;
> goto err;
> }
Acked-by: Fan Wu <wufan@linux.microsoft.com>
I will pull them along with the policy signing keyring change once I get
things ready.
-Fan
prev parent reply other threads:[~2024-09-25 21:22 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-25 21:01 [PATCH v3 1/2] ipe: return -ESTALE instead of -EINVAL on update when new policy has a lower version luca.boccassi
2024-09-25 21:01 ` [PATCH v3 2/2] ipe: also reject policy updates with the same version luca.boccassi
2024-09-25 21:22 ` Fan Wu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4fc9a356-abf1-476f-ac69-7fa47cbee52c@linux.microsoft.com \
--to=wufan@linux.microsoft.com \
--cc=linux-security-module@vger.kernel.org \
--cc=luca.boccassi@gmail.com \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).