Received: by 10.223.176.46 with SMTP id f43csp1054600wra;
        Wed, 24 Jan 2018 09:53:21 -0800 (PST)
X-Google-Smtp-Source: AH8x227oID3JJ/jlgXPnw4GAy/e1sC/IdBg5brUVCHVotyIU4ekGhK9xYw4+MK80scWLpm7w4PNp
X-Received: by 2002:a17:902:4222:: with SMTP id g31-v6mr8743512pld.203.1516816401131;
        Wed, 24 Jan 2018 09:53:21 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516816401; cv=none;
        d=google.com; s=arc-20160816;
        b=UdaEH9UlC1/itaJRrMVziuAqKFNMxdyITwU0zSiXZMkcnJwuJc2aM/9GRcGIF/kL3u
         2ShPyP7VkYS10GapNQrpxlNyJGaXBNDvyC6Q3VSn57d190e2xJQoxbBzul/kZZs5Y+az
         RHgjKswNTNT9bSEOG3qg0n3MjQ01axHFPqHTIFkAfGK/vkgmQ8dzGE3NfnE/mbiylF0Q
         aSz9tPFrjetgiVAKswk4i6XR+NAwxjcl2VbbVUTJ6BNEMVuseszoR3rhQhsabZ0qsyBE
         gFD8xKGU+R1H//PvlOmcGXFKARdEZXaLEpcC7waa0rR+KB6ZRW1NbyxzV/JJlLtyph//
         8+RQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=vQ0S38SGly8fM4WocEN48ceTv1bUam7Tk+qGqVugeo0=;
        b=s7O3m0udXwQR4izX1M3Tx1w74bYnVNT2YyTfObwbo3uz5XpxjLZWnkd32mM7tTLIuC
         HCaMoD8cA8rR5+QHS3zGJ/hfwby4It0O4gJlaoAwnvRRIz7gr6/M7EnX3sIKM5iOzaNx
         +7iLzlP2gWDNbQpErkOnrG4lTUxp4Bpmd64mrsHPPbL5i2d4RyEHZkH0AIGiAcE3cyBK
         J7+4PVSa2MRvqg0iMJymEexVHIOsDS/0sfer+Wc4NS7dFuPccQdmybuaHqplqVkGjo+f
         eivUb88QwQqIhbLb0oUvWxaNAd1E+zsNn+deo02DlPttawYuMPoKdT6kBYTkHqs/Wvd1
         7YTw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h9si363272pgq.683.2018.01.24.09.53.06;
        Wed, 24 Jan 2018 09:53:21 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S964961AbeAXRwi (ORCPT <rfc822;xuyizhaos@gmail.com> + 99 others);
        Wed, 24 Jan 2018 12:52:38 -0500
Received: from h2.hallyn.com ([78.46.35.8]:47898 "EHLO h2.hallyn.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S964826AbeAXRwg (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 24 Jan 2018 12:52:36 -0500
Received: by h2.hallyn.com (Postfix, from userid 1001)
        id A01241200AD; Wed, 24 Jan 2018 11:52:34 -0600 (CST)
Date:   Wed, 24 Jan 2018 11:52:34 -0600
From:   "Serge E. Hallyn" <serge@hallyn.com>
To:     Alban Crequy <alban.crequy@gmail.com>
Cc:     alban@kinvolk.io, dongsu@kinvolk.io, iago@kinvolk.io,
        linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-fsdevel@vger.kernel.org, miklos@szeredi.hu,
        viro@zeniv.linux.org.uk, zohar@linux.vnet.ibm.com,
        dmitry.kasatkin@gmail.com, james.l.morris@oracle.com,
        serge@hallyn.com, seth.forshee@canonical.com, hch@infradead.org
Subject: Re: [RFC PATCH v3 2/2] ima: force re-appraisal on filesystems with
 FS_IMA_NO_CACHE
Message-ID: <20180124175234.GA29811@mail.hallyn.com>
References: <20180122162452.8756-1-alban@kinvolk.io>
 <20180122162452.8756-3-alban@kinvolk.io>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180122162452.8756-3-alban@kinvolk.io>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Quoting Alban Crequy (alban.crequy@gmail.com):
> From: Alban Crequy <alban@kinvolk.io>
> 
> This patch forces files to be re-measured, re-appraised and re-audited
> on file systems with the feature flag FS_IMA_NO_CACHE. In that way,
> cached integrity results won't be used.
> 
> How to test this:
> 
> The test I did was using a patched version of the memfs FUSE driver
> [1][2] and two very simple "hello-world" programs [4] (prog1 prints
> "hello world: 1" and prog2 prints "hello world: 2").
> 
> I copy prog1 and prog2 in the fuse-memfs mount point, execute them and
> check the sha1 hash in
> "/sys/kernel/security/ima/ascii_runtime_measurements".
> 
> My patch on the memfs FUSE driver added a backdoor command to serve
> prog1 when the kernel asks for prog2 or vice-versa. In this way, I can
> exec prog1 and get it to print "hello world: 2" without ever replacing
> the file via the VFS, so the kernel is not aware of the change.
> 
> The test was done using the branch "alban/fuse-flag-ima-nocache-v3" [3].
> 
> Step by step test procedure:
> 
> 1. Mount the memfs FUSE using [2]:
> rm -f  /tmp/memfs-switch* ; memfs -L DEBUG  /mnt/memfs
> 
> 2. Copy prog1 and prog2 using [4]
> cp prog1 /mnt/memfs/prog1
> cp prog2 /mnt/memfs/prog2
> 
> 3. Lookup the files and let the FUSE driver to keep the handles open:
> dd if=/mnt/memfs/prog1 bs=1 | (read -n 1 x ; sleep 3600 ) &
> dd if=/mnt/memfs/prog2 bs=1 | (read -n 1 x ; sleep 3600 ) &
> 
> 4. Check the 2 programs work correctly:
> $ /mnt/memfs/prog1
> hello world: 1
> $ /mnt/memfs/prog2
> hello world: 2
> 
> 5. Check the measurements for prog1 and prog2:
> $ sudo cat /sys/kernel/security/ima/ascii_runtime_measurements \
>                 | grep /mnt/memfs/prog
> 10 [...] ima-ng sha1:ac14c9268cd2[...] /mnt/memfs/prog1
> 10 [...] ima-ng sha1:799cb5d1e06d[...] /mnt/memfs/prog2
> 
> 6. Use the backdoor command in my patched memfs to redirect file
> operations on file handle 3 to file handle 2:
> rm -f  /tmp/memfs-switch* ; touch /tmp/memfs-switch-3-2
> 
> 7. Check how the FUSE driver serves different content for the files:
> $ /mnt/memfs/prog1
> hello world: 2
> $ /mnt/memfs/prog2
> hello world: 2
> 
> 8. Check the measurements:
> sudo cat /sys/kernel/security/ima/ascii_runtime_measurements \
>                 | grep /mnt/memfs/prog
> 
> Without the patch, there are no new measurements, despite the FUSE
> driver having served different executables.
> 
> With the patch, I can see additional measurements for prog1 and prog2
> with the hashes reversed when the FUSE driver served the alternative
> content.
> 
> [1] https://github.com/bbengfort/memfs
> [2] https://github.com/kinvolk/memfs/commits/alban/switch-files
> [3] https://github.com/kinvolk/linux/commits/alban/fuse-flag-ima-nocache-v3
> [4] https://github.com/kinvolk/fuse-userns-patches/commit/cf1f5750cab0
> 
> Cc: linux-kernel@vger.kernel.org
> Cc: linux-integrity@vger.kernel.org
> Cc: linux-security-module@vger.kernel.org
> Cc: linux-fsdevel@vger.kernel.org
> Cc: Miklos Szeredi <miklos@szeredi.hu>
> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
> Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
> Cc: James Morris <james.l.morris@oracle.com>
> Cc: "Serge E. Hallyn" <serge@hallyn.com>

Acked-by: Serge Hallyn <serge@hallyn.com>

to both.

> Cc: Seth Forshee <seth.forshee@canonical.com>
> Cc: Christoph Hellwig <hch@infradead.org>
> Tested-by: Dongsu Park <dongsu@kinvolk.io>
> Signed-off-by: Alban Crequy <alban@kinvolk.io>
> ---
>  security/integrity/ima/ima_main.c | 24 ++++++++++++++++++++++--
>  1 file changed, 22 insertions(+), 2 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 6d78cb26784d..8870a7bbe9b9 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -24,6 +24,7 @@
>  #include <linux/slab.h>
>  #include <linux/xattr.h>
>  #include <linux/ima.h>
> +#include <linux/fs.h>
>  
>  #include "ima.h"
>  
> @@ -228,9 +229,28 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
>  				 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
>  				 IMA_ACTION_FLAGS);
>  
> -	if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags))
> -		/* reset all flags if ima_inode_setxattr was called */
> +	/*
> +	 * Reset the measure, appraise and audit cached flags either if:
> +	 * - ima_inode_setxattr was called, or
> +	 * - based on filesystem feature flag
> +	 * forcing the file to be re-evaluated.
> +	 */
> +	if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags)) {
>  		iint->flags &= ~IMA_DONE_MASK;
> +	} else if (inode->i_sb->s_type->fs_flags & FS_IMA_NO_CACHE) {
> +		if (action & IMA_MEASURE) {
> +			iint->measured_pcrs = 0;
> +			iint->flags &=
> +			    ~(IMA_COLLECTED | IMA_MEASURE | IMA_MEASURED);
> +		}
> +		if (action & IMA_APPRAISE)
> +			iint->flags &=
> +			    ~(IMA_COLLECTED | IMA_APPRAISE | IMA_APPRAISED |
> +			      IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK);
> +		if (action & IMA_AUDIT)
> +			iint->flags &=
> +			    ~(IMA_COLLECTED | IMA_AUDIT | IMA_AUDITED);
> +	}
>  
>  	/* Determine if already appraised/measured based on bitmask
>  	 * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
> -- 
> 2.13.6