From: Mimi Zohar <zohar@linux.ibm.com>
To: Miklos Szeredi <miklos@szeredi.hu>, Fabian Vogt <fvogt@suse.de>
Cc: Ignaz Forster <iforster@suse.de>,
overlayfs <linux-unionfs@vger.kernel.org>,
linux-integrity <linux-integrity@vger.kernel.org>
Subject: Re: PROBLEM: IMA xattrs not written on overlayfs
Date: Wed, 03 Oct 2018 17:18:21 -0400 [thread overview]
Message-ID: <1538601501.3702.217.camel@linux.ibm.com> (raw)
In-Reply-To: <CAJfpegtk=OD6GVVOOtBT4Lto9x73vnSGdTMrzK-uTvStE6KxWw@mail.gmail.com>
Hi Miklos,
On Mon, 2018-10-01 at 11:05 +0200, Miklos Szeredi wrote:
> On Fri, Sep 28, 2018 at 9:37 PM, Fabian Vogt <fvogt@suse.de> wrote:
> > Hi,
> >
> > I'm the other person Ignaz refers to when he wrote "we".
> >
> > Am Freitag, 28. September 2018, 20:24:47 CEST schrieb Ignaz Forster:
> >> Am 28.09.18 um 18:54 schrieb Mimi Zohar:
> >> > On Mon, 2018-09-10 at 11:17 +0200, Ignaz Forster wrote:
> >> >> Am 07.09.18 um 20:45 schrieb Mimi Zohar:
> >> >>>> A small example for reproduction (on a system with IMA appraisal):
> >> >>>> # OVERLAYFS_TEST_DIR=`mktemp -d`
> >> >>>> # mkdir "${OVERLAYFS_TEST_DIR}/upper"
> >> >>>> # mkdir "${OVERLAYFS_TEST_DIR}/work"
> >> >>>> # mount -t overlay -o lowerdir=/etc,upperdir="${OVERLAYFS_TEST_DIR}
> >> >>>> /upper",workdir="${OVERLAYFS_TEST_DIR}/work" overlay /etc
> >> >>>> #
> >> >>>> # rm -f /etc/test.txt
> >> >>>> # echo Test > /etc/test.txt
> >> >>>> # cat /etc/test.txt
> >> >>>> cat: /etc/test.txt: Permission denied
> >> >>>> # ls -s /etc/test.txt
> >> >>>> 4 /etc/test.txt # <- The contents are there
> >> >>>> # getfattr -m . -d /etc/test.txt
> >> >>>> # # <- The hash isn't
> >> >>>>
> >> > The file size is still 0, when ima_check_last_writer() calls
> >> > ima_update_xattr(), which tries to calculate the file hash and write
> >> > it out an security.ima.
> >>
> >> We found out that when forcibly setting the read flag in
> >> ovl_open_realfile as seen in the attached patch the IMA attributes will
> >> be set correctly again. It seems IMA cannot read the file contents and
> >> thus cannot create the hash any more.
> >
> > In ima_crypto.c, ima_calc_file_hash_{atfm,tfm} we can find this hack (?),
> > which allows to read even through a WRONLY file:
> >
> > if (!(file->f_mode & FMODE_READ)) {
> > file->f_mode |= FMODE_READ;
> > read = 1;
> > }
> >
> > integrity_kernel_read(file, ...);
> >
> > if (read)
> > file->f_mode &= ~FMODE_READ;
>
> It's not just a hack, it's a security hole: what prevents a read(2) on
> that file from userspace exploiting the window while the f_mode is
> changed?
IMA calculates the file hash either on the last write close (__fput)
or when verifying the file hash on file open. The discussion here is
about calculating the file hash on __fput. Before the file can be
read, the IMA file hash or signature would have to be verified first
on file open.
Unless I'm missing something, which is totally possible, I'm not sure
there is a problem.
Mimi
next prev parent reply other threads:[~2018-10-03 21:18 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-07 16:49 PROBLEM: IMA xattrs not written on overlayfs Ignaz Forster
2018-09-07 18:45 ` Mimi Zohar
2018-09-10 9:17 ` Ignaz Forster
2018-09-28 16:54 ` Mimi Zohar
2018-09-28 18:24 ` Ignaz Forster
2018-09-28 19:06 ` Mimi Zohar
2018-09-28 19:37 ` Fabian Vogt
2018-10-01 9:05 ` Miklos Szeredi
2018-10-03 21:18 ` Mimi Zohar [this message]
2018-10-03 22:35 ` Miklos Szeredi
2018-10-04 15:52 ` Mimi Zohar
2018-10-05 2:57 ` Goldwyn Rodrigues
2018-10-05 10:33 ` Mimi Zohar
2018-10-05 17:30 ` Goldwyn Rodrigues
2018-10-07 8:22 ` Amir Goldstein
2018-10-08 12:54 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1538601501.3702.217.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=fvogt@suse.de \
--cc=iforster@suse.de \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).