lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 15 Feb 2022 08:00:34 +0000
From:   Roberto Sassu <roberto.sassu@...wei.com>
To:     Mimi Zohar <zohar@...ux.ibm.com>,
        "shuah@...nel.org" <shuah@...nel.org>,
        "ast@...nel.org" <ast@...nel.org>,
        "daniel@...earbox.net" <daniel@...earbox.net>,
        "andrii@...nel.org" <andrii@...nel.org>,
        "kpsingh@...nel.org" <kpsingh@...nel.org>,
        Florent Revest <revest@...omium.org>
CC:     "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
        "linux-security-module@...r.kernel.org" 
        <linux-security-module@...r.kernel.org>,
        "linux-kselftest@...r.kernel.org" <linux-kselftest@...r.kernel.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "bpf@...r.kernel.org" <bpf@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH] ima: Calculate digest in ima_inode_hash() if not
 available

> From: Mimi Zohar [mailto:zohar@...ux.ibm.com]
> Sent: Monday, February 14, 2022 11:33 PM
> On Mon, 2022-02-14 at 17:05 +0000, Roberto Sassu wrote:
> > > From: Mimi Zohar [mailto:zohar@...ux.ibm.com]
> > > Sent: Sunday, February 13, 2022 2:06 PM
> > > Hi Roberto,
> > >
> > > On Fri, 2022-02-11 at 11:48 +0100, Roberto Sassu wrote:
> > > > __ima_inode_hash() checks if a digest has been already calculated by
> > > > looking for the integrity_iint_cache structure associated to the passed
> > > > inode.
> > > >
> > > > Users of ima_file_hash() and ima_inode_hash() (e.g. eBPF) might be
> > > > interested in obtaining the information without having to setup an IMA
> > > > policy so that the digest is always available at the time they call one of
> > > > those functions.
> > > >
> > > > Open a new file descriptor in __ima_inode_hash(), so that this function
> > > > could invoke ima_collect_measurement() to calculate the digest if it is not
> > > > available. Still return -EOPNOTSUPP if the calculation failed.
> > > >
> > > > Instead of opening a new file descriptor, the one from ima_file_hash()
> > > > could have been used. However, since ima_inode_hash() was created to
> > > obtain
> > > > the digest when the file descriptor is not available, it could benefit from
> > > > this change too. Also, the opened file descriptor might be not suitable for
> > > > use (file descriptor opened not for reading).
> > > >
> > > > This change does not cause memory usage increase, due to using a
> temporary
> > > > integrity_iint_cache structure for the digest calculation, and due to
> > > > freeing the ima_digest_data structure inside integrity_iint_cache before
> > > > exiting from __ima_inode_hash().
> > > >
> > > > Finally, update the test by removing ima_setup.sh (it is not necessary
> > > > anymore to set an IMA policy) and by directly executing /bin/true.
> > > >
> > > > Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
> > >
> > > Although this patch doesn't directly modify either ima_file_hash() or
> > > ima_inode_hash(),  this change affects both functions.  ima_file_hash()
> > > was introduced to be used with eBPF.  Based on Florent's post, changing
> > > the ima_file_hash() behavor seems fine.  Since I have no idea whether
> > > anyone is still using ima_inode_hash(), perhaps it would be safer to
> > > limit this behavior change to just ima_file_hash().
> >
> > Hi Mimi
> >
> > ok.
> >
> > I found that just checking that iint->ima_hash is not NULL is not enough
> > (ima_inode_hash() might still return the old digest after a file write).
> > Should I replace that check with !(iint->flags & IMA_COLLECTED)?
> > Or should I do only for ima_file_hash() and recalculate the digest
> > if necessary?
> 
> Updating the file hash after each write would really impact IMA
> performance.  If you really want to detect any file change, no matter
> how frequently it occurs, your best bet would be to track i_generation
> and i_version.  Stefan is already adding "i_generation" for IMA
> namespacing.

I just wanted the ability to get a fresh digest after a file opened
for writing is closed. Since in my use case I would not use an IMA
policy, that would not be a problem.

Thanks

Roberto

HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Zhong Ronghua

> > > Please update the ima_file_hash() doc.  While touching this area, I'd
> > > appreciate your fixing the first doc line in both ima_file_hash() and
> > > ima_inode_hash() cases, which wraps spanning two lines.
> >
> > Did you mean to make the description shorter or to have everything
> > in one line? According to the kernel documentation (kernel-doc.rst),
> > having the brief description in multiple lines should be fine.
> 
> Thanks for checking kernel-doc.   The "brief description"  not wrapping
> across multiple lines did in fact change.
> 
> > > Please split the IMA from the eBPF changes.
> >
> > Ok.
> 
> --
> thanks,
> 
> Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ