lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <c018b014-9ba8-4395-86dc-b61346ab20a8@linux.ibm.com>
Date: Wed, 31 Jan 2024 09:40:02 -0500
From: Stefan Berger <stefanb@...ux.ibm.com>
To: Amir Goldstein <amir73il@...il.com>
Cc: linux-integrity@...r.kernel.org, linux-security-module@...r.kernel.org,
        linux-unionfs@...r.kernel.org, linux-kernel@...r.kernel.org,
        paul@...l-moore.com, jmorris@...ei.org, serge@...lyn.com,
        zohar@...ux.ibm.com, roberto.sassu@...wei.com, miklos@...redi.hu
Subject: Re: [PATCH 4/5] evm: Use the real inode's metadata to calculate
 metadata hash



On 1/31/24 08:16, Amir Goldstein wrote:
> On Wed, Jan 31, 2024 at 4:11 AM Stefan Berger <stefanb@...ux.ibm.com> wrote:
>>
>>
>>
>> On 1/30/24 16:46, Stefan Berger wrote:
>>> Changes to the file attribute (mode bits, uid, gid) on the lower layer
>>> are not take into account when d_backing_inode() is used when a file is
>>> accessed on the overlay layer and this file has not yet been copied up.
>>> This is because d_backing_inode() does not return the real inode of the
>>> lower layer but instead returns the backing inode which holds old file
>>> attributes. When the old file attributes are used for calculating the
>>> metadata hash then the expected hash is calculated and the file then
>>> mistakenly passes signature verification. Therefore, use d_real_inode()
>>> which returns the inode of the lower layer for as long as the file has
>>> not been copied up and returns the upper layer's inode otherwise.
>>>
>>> Signed-off-by: Stefan Berger <stefanb@...ux.ibm.com>
>>> ---
>>>    security/integrity/evm/evm_crypto.c | 2 +-
>>>    1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
>>> index b1ffd4cc0b44..2e48fe54e899 100644
>>> --- a/security/integrity/evm/evm_crypto.c
>>> +++ b/security/integrity/evm/evm_crypto.c
>>> @@ -223,7 +223,7 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry,
>>>                                 size_t req_xattr_value_len,
>>>                                 uint8_t type, struct evm_digest *data)
>>>    {
>>> -     struct inode *inode = d_backing_inode(dentry);
>>> +     struct inode *inode = d_real_inode(dentry);
>>>        struct xattr_list *xattr;
>>>        struct shash_desc *desc;
>>>        size_t xattr_size = 0;
>>
>> We need this patch when NOT activating CONFIG_OVERLAY_FS_METACOPY but
>> when setting CONFIG_OVERLAY_FS_METACOPY=y it has to be reverted...  I am
>> not sure what the solution is.
> 
> I think d_real_inode() does not work correctly for all its current users for
> a metacopy file.
> 
> I think the solution is to change d_real_inode() to return the data inode
> and add another helper to get the metadata inode if needed.
> I will post some patches for it.

I thought that we may have to go through vfs_getattr() but even better 
if we don't because we don't have the file *file anywhere 'near'.

> 
> However, I must say that I do not know if evm_calc_hmac_or_hash()
> needs the lower data inode, the upper metadata inode or both.

What it needs are data structures with mode bits, uid, and gid that stat 
in userspace would show.


> 
> The last time you tried to fix ovl+IMA, I asked for documentation
> of what data/metadata is protected with EVM and how are those
> protections supposed to work across overlayfs copy up, when the
> data and metadata are often split between 2 and myabe event 3
> differnt inode.

I always compare against what userspace sees with stat and that's what 
the EVM should also work with so it ends up in reasonable matching 
result in terms of hash calculation and then access permission/rejection.

> 
>  From the current patch set, I still don't understand what is the expected
> behavior before and after copy up of data/metadata-only.
> 
> Thanks,
> Amir.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ