lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 13 Feb 2022 08:06:01 -0500
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Roberto Sassu <roberto.sassu@...wei.com>, shuah@...nel.org,
        ast@...nel.org, daniel@...earbox.net, andrii@...nel.org,
        kpsingh@...nel.org, Florent Revest <revest@...omium.org>
Cc:     linux-integrity@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        linux-kselftest@...r.kernel.org, netdev@...r.kernel.org,
        bpf@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ima: Calculate digest in ima_inode_hash() if not
 available

Hi Roberto,

On Fri, 2022-02-11 at 11:48 +0100, Roberto Sassu wrote:
> __ima_inode_hash() checks if a digest has been already calculated by
> looking for the integrity_iint_cache structure associated to the passed
> inode.
> 
> Users of ima_file_hash() and ima_inode_hash() (e.g. eBPF) might be
> interested in obtaining the information without having to setup an IMA
> policy so that the digest is always available at the time they call one of
> those functions.
> 
> Open a new file descriptor in __ima_inode_hash(), so that this function
> could invoke ima_collect_measurement() to calculate the digest if it is not
> available. Still return -EOPNOTSUPP if the calculation failed.
> 
> Instead of opening a new file descriptor, the one from ima_file_hash()
> could have been used. However, since ima_inode_hash() was created to obtain
> the digest when the file descriptor is not available, it could benefit from
> this change too. Also, the opened file descriptor might be not suitable for
> use (file descriptor opened not for reading).
> 
> This change does not cause memory usage increase, due to using a temporary
> integrity_iint_cache structure for the digest calculation, and due to
> freeing the ima_digest_data structure inside integrity_iint_cache before
> exiting from __ima_inode_hash().
> 
> Finally, update the test by removing ima_setup.sh (it is not necessary
> anymore to set an IMA policy) and by directly executing /bin/true.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>

Although this patch doesn't directly modify either ima_file_hash() or
ima_inode_hash(),  this change affects both functions.  ima_file_hash()
was introduced to be used with eBPF.  Based on Florent's post, changing
the ima_file_hash() behavor seems fine.  Since I have no idea whether
anyone is still using ima_inode_hash(), perhaps it would be safer to
limit this behavior change to just ima_file_hash().

Please update the ima_file_hash() doc.  While touching this area, I'd
appreciate your fixing the first doc line in both ima_file_hash() and
ima_inode_hash() cases, which wraps spanning two lines.

Please split the IMA from the eBPF changes.

-- 
thanks,

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ