| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Mar 2014 00:20:05 +0200 From: Dmitry Kasatkin <dmitry.kasatkin@...il.com> To: Mimi Zohar <zohar@...ux.vnet.ibm.com> Cc: Casey Schaufler <casey@...aufler-ca.com>, Dmitry Kasatkin <d.kasatkin@...sung.com>, linux-security-module@...r.kernel.org, James Morris <jmorris@...ei.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: Re: [PATCH 8/8] evm: introduce EVM hmac xattr list On Wed, Mar 5, 2014 at 6:04 PM, Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote: > On Wed, 2014-03-05 at 11:26 +0200, Dmitry Kasatkin wrote: >> On Tue, Mar 4, 2014 at 10:36 PM, Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote: >> > On Tue, 2014-03-04 at 16:18 +0200, Dmitry Kasatkin wrote: >> >> On Tue, Mar 4, 2014 at 5:21 AM, Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote: >> >> > On Mon, 2014-03-03 at 19:00 -0800, Casey Schaufler wrote: >> >> >> On 3/3/2014 6:39 PM, Mimi Zohar wrote: >> >> >> > On Fri, 2014-02-28 at 16:59 +0200, Dmitry Kasatkin wrote: >> >> >> >> EVM currently uses source hard coded list of xattrs which needs to be >> >> >> >> included into the HMAC calculation. This is very unflexible. >> >> >> >> Adding new attributes requires modifcation of the source code and >> >> >> >> prevents building the kernel which works with previously labeled >> >> >> >> filesystems. >> >> >> >> >> >> >> >> Early versions of Smack used only one xattr security.SMACK64, >> >> >> >> which is protected by EVM. Now Smack has a few more attributes and >> >> >> >> they are not protected. Adding support to the source code makes it >> >> >> >> impossible to use new kernel with previousely labeled filesystems. >> >> >> > I think this patch will break any existing filesystems labeled with >> >> >> > 'security.smack64'. Details inline. >> >> >> > >> >> >> >> This patch replaces hardcoded xattr array with dynamic list which is >> >> >> >> initialized from CONFIG_EVM_HMAC_XATTRS variable. It allows to build >> >> >> >> kernel with with support of older and newer EVM HMAC formats. >> > >> > So instead of having a single kernel, this allows you to build different >> > kernels with different xattr labels included in the HMAC. Wouldn't you >> > want a migration mode, similar to 'fix' mode, that only updates the >> > HMAC, if the existing HMAC verified based on the prior set of xattrs? >> > >> >> It would require to maintain 2 sets of xattrs: "old" and "new". >> What if "new" becomes "old" again, while there were still not updated >> previous "old" :) >> >> I think it would bring unnecessary complexity. >> System designers define what xattrs they want to protect and stick with that. >> Filesystems stays anyway, but allows to upgrade to new kernels. >> >> If someone really wants to upgrade the system, just use "evm=fix" and run >> recursive fix.., e.g. 'evmctl -r ima_fix /' > > Right, but instead of fixing everything, we would want a "safe" fix. > Verify the existing HMAC, before updating the HMAC based on the new set > of xattrs. With this design, only an "old" and "new" set of xattrs > would be needed. > This can be the next step further. Now we need to support new xattrs in the kernel, without breaking existing labeled filesystem. Dmitry > Mimi > -- Thanks, Dmitry -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists