Re: Fwd: [PATCH] ima: fix wrong dereferences of file->f_path

[Mimi Zohar <zohar@linux.ibm.com>]

On Fri, 2023-09-15 at 12:57 +0300, Amir Goldstein wrote:

> > Assuming IMA is configured, just add "ima_policy=tcb" to the command
> > line.   This will measure all files executed, mmap'ed, kernel modules,
> > firmware, and all files opened by root.  Normally the builtin policy is
> > replaced with a finer grained one.
> >
> > Below are a few commands, but Ken Goldman is writing documentation -
> > https://ima-doc.readthedocs.io/en/latest/
> >
> > 1. Display the IMA measurement list:
> > # cat /sys/kernel/security/ima/ascii_runtime_measurements
> > # cat /sys/kernel/security/ima/binary_runtime_measurements
> >
> > 2. Display the IMA policy  (or append to the policy)
> > # cat /sys/kernel/security/ima/policy
> >
> > 3. Display number of measurements
> > # cat /sys/kernel/security/ima/runtime_measurements_count
> >
> 
> Nice.
> This seems to work fine and nothing pops up when running
> fstests unionmount tests of overlayfs over xfs.
> 
> What strikes me as strange is that there are measurements
> of files in xfs and in overlayfs, but no measurements of files in tmpfs.
> I suppose that is because no one can tamper with the storage
> of tmpfs, but following the same logic, nobody can tamper with
> the storage of overlayfs files without tampering with storage of
> underlying fs (e.g. xfs), so measuring overlayfs files should not
> bring any extra security to the system.
> 
> Especially, since if files are signed they are signed in the real
> storage (e.g. xfs) and not in overlayfs.
> 
> So in theory, we should never ever measure files in the
> "virtual" overlayfs and only measure them in the real fs.
> The only problem is the the IMA hooks when executing,
> mmaping, reading files from overlayfs, don't work on the real fs.
> 
> fsnotify also was not working correctly in that respect, because
> fs operations on overlayfs did not always trigger fsnotify events
> on the underlying real fs.
> 
> This was fixed in 6.5 by commit bc2473c90fca ("ovl: enable fsnotify
> events on underlying real files") and the file_real_path() infrastructure
> was added to enable this.
> 
> This is why I say, that in most likelihood, IMA hook should always use
> file_real_path() and file_dentry() to perform the measurements
> and record the path of the real fs when overlayfs is performing the
> actual read/mmap on the real fs and IMA hooks should ideally
> do nothing at all (as in tmpfs) when the operation is performed
> on the "virtual" overlayfs object.

tmpfs is excluded from the builtin policy, since there is no way of
storing the file signature in the initramfs (CPIO).  There have been a
number of attempts at extending the initramfs CPIO format, but none
have been upstreamed.

Agreed, IMA should always use the real file for both the lower and the
upper overlayfs.

-- 
thanks,

Mimi