Received: by 10.223.176.46 with SMTP id f43csp1054600wra; Wed, 24 Jan 2018 09:53:21 -0800 (PST) X-Google-Smtp-Source: AH8x227oID3JJ/jlgXPnw4GAy/e1sC/IdBg5brUVCHVotyIU4ekGhK9xYw4+MK80scWLpm7w4PNp X-Received: by 2002:a17:902:4222:: with SMTP id g31-v6mr8743512pld.203.1516816401131; Wed, 24 Jan 2018 09:53:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516816401; cv=none; d=google.com; s=arc-20160816; b=UdaEH9UlC1/itaJRrMVziuAqKFNMxdyITwU0zSiXZMkcnJwuJc2aM/9GRcGIF/kL3u 2ShPyP7VkYS10GapNQrpxlNyJGaXBNDvyC6Q3VSn57d190e2xJQoxbBzul/kZZs5Y+az RHgjKswNTNT9bSEOG3qg0n3MjQ01axHFPqHTIFkAfGK/vkgmQ8dzGE3NfnE/mbiylF0Q aSz9tPFrjetgiVAKswk4i6XR+NAwxjcl2VbbVUTJ6BNEMVuseszoR3rhQhsabZ0qsyBE gFD8xKGU+R1H//PvlOmcGXFKARdEZXaLEpcC7waa0rR+KB6ZRW1NbyxzV/JJlLtyph// 8+RQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=vQ0S38SGly8fM4WocEN48ceTv1bUam7Tk+qGqVugeo0=; b=s7O3m0udXwQR4izX1M3Tx1w74bYnVNT2YyTfObwbo3uz5XpxjLZWnkd32mM7tTLIuC HCaMoD8cA8rR5+QHS3zGJ/hfwby4It0O4gJlaoAwnvRRIz7gr6/M7EnX3sIKM5iOzaNx +7iLzlP2gWDNbQpErkOnrG4lTUxp4Bpmd64mrsHPPbL5i2d4RyEHZkH0AIGiAcE3cyBK J7+4PVSa2MRvqg0iMJymEexVHIOsDS/0sfer+Wc4NS7dFuPccQdmybuaHqplqVkGjo+f eivUb88QwQqIhbLb0oUvWxaNAd1E+zsNn+deo02DlPttawYuMPoKdT6kBYTkHqs/Wvd1 7YTw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h9si363272pgq.683.2018.01.24.09.53.06; Wed, 24 Jan 2018 09:53:21 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964961AbeAXRwi (ORCPT + 99 others); Wed, 24 Jan 2018 12:52:38 -0500 Received: from h2.hallyn.com ([78.46.35.8]:47898 "EHLO h2.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S964826AbeAXRwg (ORCPT ); Wed, 24 Jan 2018 12:52:36 -0500 Received: by h2.hallyn.com (Postfix, from userid 1001) id A01241200AD; Wed, 24 Jan 2018 11:52:34 -0600 (CST) Date: Wed, 24 Jan 2018 11:52:34 -0600 From: "Serge E. Hallyn" To: Alban Crequy Cc: alban@kinvolk.io, dongsu@kinvolk.io, iago@kinvolk.io, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, miklos@szeredi.hu, viro@zeniv.linux.org.uk, zohar@linux.vnet.ibm.com, dmitry.kasatkin@gmail.com, james.l.morris@oracle.com, serge@hallyn.com, seth.forshee@canonical.com, hch@infradead.org Subject: Re: [RFC PATCH v3 2/2] ima: force re-appraisal on filesystems with FS_IMA_NO_CACHE Message-ID: <20180124175234.GA29811@mail.hallyn.com> References: <20180122162452.8756-1-alban@kinvolk.io> <20180122162452.8756-3-alban@kinvolk.io> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180122162452.8756-3-alban@kinvolk.io> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting Alban Crequy (alban.crequy@gmail.com): > From: Alban Crequy > > This patch forces files to be re-measured, re-appraised and re-audited > on file systems with the feature flag FS_IMA_NO_CACHE. In that way, > cached integrity results won't be used. > > How to test this: > > The test I did was using a patched version of the memfs FUSE driver > [1][2] and two very simple "hello-world" programs [4] (prog1 prints > "hello world: 1" and prog2 prints "hello world: 2"). > > I copy prog1 and prog2 in the fuse-memfs mount point, execute them and > check the sha1 hash in > "/sys/kernel/security/ima/ascii_runtime_measurements". > > My patch on the memfs FUSE driver added a backdoor command to serve > prog1 when the kernel asks for prog2 or vice-versa. In this way, I can > exec prog1 and get it to print "hello world: 2" without ever replacing > the file via the VFS, so the kernel is not aware of the change. > > The test was done using the branch "alban/fuse-flag-ima-nocache-v3" [3]. > > Step by step test procedure: > > 1. Mount the memfs FUSE using [2]: > rm -f /tmp/memfs-switch* ; memfs -L DEBUG /mnt/memfs > > 2. Copy prog1 and prog2 using [4] > cp prog1 /mnt/memfs/prog1 > cp prog2 /mnt/memfs/prog2 > > 3. Lookup the files and let the FUSE driver to keep the handles open: > dd if=/mnt/memfs/prog1 bs=1 | (read -n 1 x ; sleep 3600 ) & > dd if=/mnt/memfs/prog2 bs=1 | (read -n 1 x ; sleep 3600 ) & > > 4. Check the 2 programs work correctly: > $ /mnt/memfs/prog1 > hello world: 1 > $ /mnt/memfs/prog2 > hello world: 2 > > 5. Check the measurements for prog1 and prog2: > $ sudo cat /sys/kernel/security/ima/ascii_runtime_measurements \ > | grep /mnt/memfs/prog > 10 [...] ima-ng sha1:ac14c9268cd2[...] /mnt/memfs/prog1 > 10 [...] ima-ng sha1:799cb5d1e06d[...] /mnt/memfs/prog2 > > 6. Use the backdoor command in my patched memfs to redirect file > operations on file handle 3 to file handle 2: > rm -f /tmp/memfs-switch* ; touch /tmp/memfs-switch-3-2 > > 7. Check how the FUSE driver serves different content for the files: > $ /mnt/memfs/prog1 > hello world: 2 > $ /mnt/memfs/prog2 > hello world: 2 > > 8. Check the measurements: > sudo cat /sys/kernel/security/ima/ascii_runtime_measurements \ > | grep /mnt/memfs/prog > > Without the patch, there are no new measurements, despite the FUSE > driver having served different executables. > > With the patch, I can see additional measurements for prog1 and prog2 > with the hashes reversed when the FUSE driver served the alternative > content. > > [1] https://github.com/bbengfort/memfs > [2] https://github.com/kinvolk/memfs/commits/alban/switch-files > [3] https://github.com/kinvolk/linux/commits/alban/fuse-flag-ima-nocache-v3 > [4] https://github.com/kinvolk/fuse-userns-patches/commit/cf1f5750cab0 > > Cc: linux-kernel@vger.kernel.org > Cc: linux-integrity@vger.kernel.org > Cc: linux-security-module@vger.kernel.org > Cc: linux-fsdevel@vger.kernel.org > Cc: Miklos Szeredi > Cc: Alexander Viro > Cc: Mimi Zohar > Cc: Dmitry Kasatkin > Cc: James Morris > Cc: "Serge E. Hallyn" Acked-by: Serge Hallyn to both. > Cc: Seth Forshee > Cc: Christoph Hellwig > Tested-by: Dongsu Park > Signed-off-by: Alban Crequy > --- > security/integrity/ima/ima_main.c | 24 ++++++++++++++++++++++-- > 1 file changed, 22 insertions(+), 2 deletions(-) > > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index 6d78cb26784d..8870a7bbe9b9 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -24,6 +24,7 @@ > #include > #include > #include > +#include > > #include "ima.h" > > @@ -228,9 +229,28 @@ static int process_measurement(struct file *file, char *buf, loff_t size, > IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | > IMA_ACTION_FLAGS); > > - if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags)) > - /* reset all flags if ima_inode_setxattr was called */ > + /* > + * Reset the measure, appraise and audit cached flags either if: > + * - ima_inode_setxattr was called, or > + * - based on filesystem feature flag > + * forcing the file to be re-evaluated. > + */ > + if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags)) { > iint->flags &= ~IMA_DONE_MASK; > + } else if (inode->i_sb->s_type->fs_flags & FS_IMA_NO_CACHE) { > + if (action & IMA_MEASURE) { > + iint->measured_pcrs = 0; > + iint->flags &= > + ~(IMA_COLLECTED | IMA_MEASURE | IMA_MEASURED); > + } > + if (action & IMA_APPRAISE) > + iint->flags &= > + ~(IMA_COLLECTED | IMA_APPRAISE | IMA_APPRAISED | > + IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK); > + if (action & IMA_AUDIT) > + iint->flags &= > + ~(IMA_COLLECTED | IMA_AUDIT | IMA_AUDITED); > + } > > /* Determine if already appraised/measured based on bitmask > * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED, > -- > 2.13.6