[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1543001453.4298.23.camel@linux.ibm.com>
Date: Fri, 23 Nov 2018 14:30:53 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Casey Schaufler <casey@...aufler-ca.com>,
Roberto Sassu <roberto.sassu@...wei.com>,
viro@...iv.linux.org.uk
Cc: linux-fsdevel@...r.kernel.org, linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org, initramfs@...r.kernel.org,
linux-kernel@...r.kernel.org, silviu.vlasceanu@...wei.com,
dmitry.kasatkin@...wei.com, takondra@...co.com, kamensky@...co.com,
hpa@...or.com, arnd@...db.de, rob@...dley.net,
james.w.mcmechan@...il.com
Subject: Re: [RFC][PATCH] fs: set xattrs in initramfs from regular files
On Fri, 2018-11-23 at 11:03 -0800, Casey Schaufler wrote:
> On 11/22/2018 7:49 AM, Roberto Sassu wrote:
> > Although rootfs (tmpfs) supports xattrs, they are not set due to the
> > limitation of the cpio format. A new format called 'newcx' was proposed to
> > overcome this limitation.
> >
> > However, it looks like that adding a new format is not simple: 15 kernel
> > patches; user space tools must support the new format; mistakes made in the
> > past should be avoided; it is unclear whether the kernel should switch from
> > cpio to tar.
> >
> > The aim of this patch is to provide the same functionality without
> > introducing a new format. The value of xattrs is placed in regular files
> > having the same file name as the files xattrs are added to, plus a
> > separator and the xattr name (<filename>.xattr-<xattr name>).
> >
> > Example:
> >
> > '/bin/cat.xattr-security.ima' is the name of a file containing the value of
> > the security.ima xattr to be added to /bin/cat.
> >
> > At kernel initialization time, the kernel iterates over the rootfs
> > filesystem, and if it encounters files with the '.xattr-' separator, it
> > reads the content and adds the xattr to the file without the suffix.
>
> No.
>
> Really, no.
>
> It would be incredibly easy to use this mechanism to break
> into systems.
>
>
> > This proposal requires that LSMs and IMA allow the read and setxattr
> > operations. This should not be a concern since: files with xattr values
> > are not parsed by the kernel; user space processes are not yet executed.
> >
> > It would be possible to include all xattrs in the same file, but this
> > increases the risk of the kernel being compromised by parsing the content.
>
> The kernel mustn't do this.
Mustn't do what? Store the xattr as separate detached files,
include all the xattrs in a single or per security/LSM xattr attribute
file(s), or either?
Mimi
Powered by blists - more mailing lists