lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1576676087.4579.396.camel@linux.ibm.com>
Date:   Wed, 18 Dec 2019 08:34:47 -0500
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Florent Revest <revest@...omium.org>,
        Casey Schaufler <casey@...aufler-ca.com>,
        linux-integrity@...r.kernel.org
Cc:     jmorris@...ei.org, serge@...lyn.com, revest@...gle.com,
        allison@...utok.net, armijn@...ldur.nl, bauerman@...ux.ibm.com,
        linux-kernel@...r.kernel.org,
        linux-security-module@...r.kernel.org, kpsingh@...omium.org
Subject: Re: [PATCH] integrity: Expose data structures required for
 include/linux/integrity.h

On Wed, 2019-12-18 at 12:03 +0100, Florent Revest wrote:
> On Tue, 2019-12-17 at 18:08 -0500, Mimi Zohar wrote:
> > On Tue, 2019-12-17 at 08:25 -0800, Casey Schaufler wrote:
> > > On 12/17/2019 5:47 AM, Florent Revest wrote:
> > > > From: Florent Revest <revest@...gle.com>
> > > > 
> > > > include/linux/integrity.h exposes the prototype of
> > > > integrity_inode_get().
> > > > However, it relies on struct integrity_iint_cache which is
> > > > currently
> > > > defined in an internal header, security/integrity/integrity.h.
> > > > 
> > > > To allow the rest of the kernel to use integrity_inode_get,
> > > 
> > > Why do you want to do this?
> > 
> > ditto
> 
> My team works on KRSI (eBPF MAC policies presented at LSS by KP Singh).
> https://lkml.org/lkml/2019/9/10/393 We identified file hashes gathered
> from the integrity subsystem as an interesting field that we could
> potentially someday expose to eBPF programs through helpers.
> 
> One of the reason behind writing KRSI is to replace a custom kernel
> auditing module that currently needs to redefine those structures to
> access them. I imagine other kernel modules could benefit from a file
> hash API too.
> 
> This is the least intrusive patch I could come up with that allows us
> to lookup a hash from an inode. I was surprised to find that
> integrity_inode_get was exposed but not the structures it returns.
> 
> If the community is interested in a different file hash API, I'd be
> happy to iterate on this patch based on your feedback.

There's a major difference between returning just the file hash and
making the integrity_iint_cache structure public.  Peter Moody's
original code queried the cache[1].  Why do you need access to the
structure itself?

FYI, if/when we get to IMA namespacing, the cache structure will
change.

Mimi

[1] ima: add the ability to query ima for the hash of a given file.

> 
> > > >  this patch
> > > > moves the definition of the necessary structures from a private
> > > > header
> > > > to a global kernel header.
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ