lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAOQ4uxgvKb520_Nbp+Y7KDq3_7t1tx65w5pOP8y6or1prESv+Q@mail.gmail.com>
Date:   Mon, 11 Dec 2023 20:31:33 +0200
From:   Amir Goldstein <amir73il@...il.com>
To:     Roberto Sassu <roberto.sassu@...weicloud.com>
Cc:     Christian Brauner <brauner@...nel.org>,
        Seth Forshee <sforshee@...nel.org>, miklos@...redi.hu,
        linux-unionfs@...r.kernel.org, linux-kernel@...r.kernel.org,
        zohar@...ux.ibm.com, paul@...l-moore.com, stefanb@...ux.ibm.com,
        jlayton@...nel.org, linux-integrity@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        linux-fsdevel@...r.kernel.org,
        Roberto Sassu <roberto.sassu@...wei.com>
Subject: Re: [RFC][PATCH] overlayfs: Redirect xattr ops on security.evm to security.evm_overlayfs

On Mon, Dec 11, 2023 at 4:56 PM Roberto Sassu
<roberto.sassu@...weicloud.com> wrote:
>
> On Fri, 2023-12-08 at 23:01 +0100, Christian Brauner wrote:
> > On Fri, Dec 08, 2023 at 11:55:19PM +0200, Amir Goldstein wrote:
> > > On Fri, Dec 8, 2023 at 7:25 PM Roberto Sassu
> > > <roberto.sassu@...weicloud.com> wrote:
> > > >
> > > > From: Roberto Sassu <roberto.sassu@...wei.com>
> > > >
> > > > EVM updates the HMAC in security.evm whenever there is a setxattr or
> > > > removexattr operation on one of its protected xattrs (e.g. security.ima).
> > > >
> > > > Unfortunately, since overlayfs redirects those xattrs operations on the
> > > > lower filesystem, the EVM HMAC cannot be calculated reliably, since lower
> > > > inode attributes on which the HMAC is calculated are different from upper
> > > > inode attributes (for example i_generation and s_uuid).
> > > >
> > > > Although maybe it is possible to align such attributes between the lower
> > > > and the upper inode, another idea is to map security.evm to another name
> > > > (security.evm_overlayfs)
> > >
> > > If we were to accept this solution, this will need to be trusted.overlay.evm
> > > to properly support private overlay xattr escaping.
> > >
> > > > during an xattr operation, so that it does not
> > > > collide with security.evm set by the lower filesystem.
> > >
> > > You are using wrong terminology and it is very confusing to me.
> >
> > Same.
>
> Argh, sorry...
>
> > > see the overlay mount command has lowerdir= and upperdir=.
> > > Seems that you are using lower filesystem to refer to the upper fs
> > > and upper filesystem to refer to overlayfs.
> > >
> > > >
> > > > Whenever overlayfs wants to set security.evm, it is actually setting
> > > > security.evm_overlayfs calculated with the upper inode attributes. The
> > > > lower filesystem continues to update security.evm.
> > > >
> > >
> > > I understand why that works, but I am having a hard time swallowing
> > > the solution, mainly because I feel that there are other issues on the
> > > intersection of overlayfs and IMA and I don't feel confident that this
> > > addresses them all.
>
> This solution is specifically for the collisions on HMACs, nothing
> else. Does not interfere/solve any other problem.
>
> > > If you want to try to convince me, please try to write a complete
> > > model of how IMA/EVM works with overlayfs, using the section
> > > "Permission model" in Documentation/filesystems/overlayfs.rst
> > > as a reference.
>
> Ok, I will try.
>
> I explain first how EVM works in general, and then why EVM does not
> work with overlayfs.
>

I understand both of those things.

What I don't understand is WHY EVM needs to work on overlayfs?
What is the use case?
What is the threat model?

The purpose of IMA/EVM as far as I understand it is to detect and
protect against tampering with data/metadata offline. Right?

As Seth correctly wrote, overlayfs is just the composition of existing
underlying layers.

Noone can tamper with overlayfs without tampering with the underlying
layers.

The correct solution to your problem, and I have tried to say this many
times, in to completely opt-out of IMA/EVM for overlayfs.

EVM should not store those versions of HMAC for overlayfs and for
the underlying layers, it should ONLY store a single version for the
underlying layer.

Because write() in overlayfs always follows by write() to upper layer
and setxattr() in overlayfs always follows by setxattr() to upper layer
IMO write() and setxattr() on overlayfs should by ignored by IMA/EVM
and only write()/setxattr() on underlying fs should be acted by IMA/EVM
which AFAIK, happens anyway.

Please let me know if I am missing something,

Thanks,
Amir.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ