lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 14 Feb 2022 17:32:49 -0500
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Roberto Sassu <roberto.sassu@...wei.com>,
        "shuah@...nel.org" <shuah@...nel.org>,
        "ast@...nel.org" <ast@...nel.org>,
        "daniel@...earbox.net" <daniel@...earbox.net>,
        "andrii@...nel.org" <andrii@...nel.org>,
        "kpsingh@...nel.org" <kpsingh@...nel.org>,
        Florent Revest <revest@...omium.org>
Cc:     "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
        "linux-security-module@...r.kernel.org" 
        <linux-security-module@...r.kernel.org>,
        "linux-kselftest@...r.kernel.org" <linux-kselftest@...r.kernel.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "bpf@...r.kernel.org" <bpf@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] ima: Calculate digest in ima_inode_hash() if not
 available

On Mon, 2022-02-14 at 17:05 +0000, Roberto Sassu wrote:
> > From: Mimi Zohar [mailto:zohar@...ux.ibm.com]
> > Sent: Sunday, February 13, 2022 2:06 PM
> > Hi Roberto,
> > 
> > On Fri, 2022-02-11 at 11:48 +0100, Roberto Sassu wrote:
> > > __ima_inode_hash() checks if a digest has been already calculated by
> > > looking for the integrity_iint_cache structure associated to the passed
> > > inode.
> > >
> > > Users of ima_file_hash() and ima_inode_hash() (e.g. eBPF) might be
> > > interested in obtaining the information without having to setup an IMA
> > > policy so that the digest is always available at the time they call one of
> > > those functions.
> > >
> > > Open a new file descriptor in __ima_inode_hash(), so that this function
> > > could invoke ima_collect_measurement() to calculate the digest if it is not
> > > available. Still return -EOPNOTSUPP if the calculation failed.
> > >
> > > Instead of opening a new file descriptor, the one from ima_file_hash()
> > > could have been used. However, since ima_inode_hash() was created to
> > obtain
> > > the digest when the file descriptor is not available, it could benefit from
> > > this change too. Also, the opened file descriptor might be not suitable for
> > > use (file descriptor opened not for reading).
> > >
> > > This change does not cause memory usage increase, due to using a temporary
> > > integrity_iint_cache structure for the digest calculation, and due to
> > > freeing the ima_digest_data structure inside integrity_iint_cache before
> > > exiting from __ima_inode_hash().
> > >
> > > Finally, update the test by removing ima_setup.sh (it is not necessary
> > > anymore to set an IMA policy) and by directly executing /bin/true.
> > >
> > > Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
> > 
> > Although this patch doesn't directly modify either ima_file_hash() or
> > ima_inode_hash(),  this change affects both functions.  ima_file_hash()
> > was introduced to be used with eBPF.  Based on Florent's post, changing
> > the ima_file_hash() behavor seems fine.  Since I have no idea whether
> > anyone is still using ima_inode_hash(), perhaps it would be safer to
> > limit this behavior change to just ima_file_hash().
> 
> Hi Mimi
> 
> ok.
> 
> I found that just checking that iint->ima_hash is not NULL is not enough
> (ima_inode_hash() might still return the old digest after a file write).
> Should I replace that check with !(iint->flags & IMA_COLLECTED)?
> Or should I do only for ima_file_hash() and recalculate the digest
> if necessary?

Updating the file hash after each write would really impact IMA
performance.  If you really want to detect any file change, no matter
how frequently it occurs, your best bet would be to track i_generation
and i_version.  Stefan is already adding "i_generation" for IMA
namespacing.

> 
> > Please update the ima_file_hash() doc.  While touching this area, I'd
> > appreciate your fixing the first doc line in both ima_file_hash() and
> > ima_inode_hash() cases, which wraps spanning two lines.
> 
> Did you mean to make the description shorter or to have everything
> in one line? According to the kernel documentation (kernel-doc.rst),
> having the brief description in multiple lines should be fine.

Thanks for checking kernel-doc.   The "brief description"  not wrapping
across multiple lines did in fact change.

> > Please split the IMA from the eBPF changes.
> 
> Ok.

-- 
thanks,

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ