Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1082275imu; Fri, 4 Jan 2019 12:43:06 -0800 (PST) X-Google-Smtp-Source: ALg8bN55g0xLgOFA3sjzNOjLT+73VjkCXHGpg6fxXf6cFAZs20W6p9JJWdMsIsv3LQuWlbJRFJDV X-Received: by 2002:a63:a30a:: with SMTP id s10mr2672884pge.234.1546634586423; Fri, 04 Jan 2019 12:43:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546634586; cv=none; d=google.com; s=arc-20160816; b=s8nAFe7QBqD6zA6qvR3KJDRJ8YgHwGMRKPnSk00fxjzHgtnS7l9KRcTXI0ZDjkX6Jk VZKoA4r/ffrQ4yQseWfIhySiTg69ITq22dDyGnu8SYXLFUVJtpiKUvL2yJ4kIG5GhGUV Z1dHXed166GPLvqz34bYshFqdxRdQDs1Ol24V+EsYg7W5jCNDNs8ISF6mpGt+VSJV5rZ kvRI92v+aMaAZgxVuyvhEI7Q5WTeHkwOfwWCoohyvsab87hvOV7wJcIUKfciWgodQjDD 2rP+gPUbF2CsMljHW+2XhPmI91RTW3P+pbRECCobATg3iNxLXnvWB1I9yiyZ3yoIFq2n N3ag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=iYKZYw9pBbs+9M1bv1xHHmg2hwlGwpPr6KW4wutdFrE=; b=vOiA3cs/ySergFTApH2of+UAEmkceWK36kzTgEqA8jwaZOBo66nOtlk+yKHPiMPn2Z ORBOpUu5buugOKNB+OKRkmRI+n+Y3ZEkGiNmtBmLBIr1pfxw6zhywb/wgLpgTxaGOgtb Otc0GlHBU/TPVvbOFkx9Tc6KXk6xaS+YoKnKrXnHPEWVzp7VRIpQGskm74I3xcTDTOgo V2D3qm5vEiRcjr7tuZgtiXCYPC8J/W9X8hq9YotdbfE71RMy6sv2sB4RIJXuYUOr4b2s sgxiV4qBmvfdTrjaSK1aLuZPx6r2U9f8Qkl+ctAPu1mXN4pa1sawoCc+gcaO40RdNqT+ /IQQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="IttU7/pD"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g15si2136564pgl.141.2019.01.04.12.42.50; Fri, 04 Jan 2019 12:43:06 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="IttU7/pD"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726089AbfADUli (ORCPT + 99 others); Fri, 4 Jan 2019 15:41:38 -0500 Received: from mail-vs1-f66.google.com ([209.85.217.66]:35441 "EHLO mail-vs1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725987AbfADUlh (ORCPT ); Fri, 4 Jan 2019 15:41:37 -0500 Received: by mail-vs1-f66.google.com with SMTP id e7so23396364vsc.2 for ; Fri, 04 Jan 2019 12:41:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-transfer-encoding; bh=iYKZYw9pBbs+9M1bv1xHHmg2hwlGwpPr6KW4wutdFrE=; b=IttU7/pDppjWUeGDwEevTCiWMCD6at5Wn5a61ygivQcrbCUb5THZTR4M2XvuD2IAeu 4tggkypMhz2mAe8NZCt6HYscdeddDLAwZYPvKUMxn5G1Pa/jJFlXYxmWzO+Z4Uvz048/ IEGh8EQx8i+DDTQ3QTpGzDz4e4p3094PqmekaIedFBTwVeIj5DpZrWF2GNUAoew1S6I2 TNkO70nI07rNN0417f6T7szhLDyI+yQbjwH1MftWjB8i/pzRpw1OkKQaX8wqGKgPZHxu juyAsiQ+ucSXsrYTAaUbJxPl8QvQblrDfwBvY0ltgrAtCgcLgNeqzg8iUqYQgO/o75l0 n6Og== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-transfer-encoding; bh=iYKZYw9pBbs+9M1bv1xHHmg2hwlGwpPr6KW4wutdFrE=; b=ggze9Yq/bKYvgh4xQKvQOii9e9rAVvxj5nCEysXYwczc0O6ZqV4IkEiJXKa7cVJkLy 3QGtYOKvqK4Xbwa3nIMjm5X9pEJoExUDaiXeVa5GyLGZAOuntUpZCSUh8dzyuJthc7hF VYFVuKD6if454/oY5+EVn5ESsRaIyLI84tfUY2UT6qz38AWTejDifGSP5QRPPAYULoqG 3vVGUFeBJSRiSSwoKWuAKIgbKfW4+F/XiggU9J4ChCsg686Q9Obbyw78pw+Sr9Mj2Hmr dCGeD6rkY+ItrpvxyhUE5Sxfq4fBjQjcugSrxESE9mDoX8i2Ags4RB4C5z2YlnEPMke2 yCOg== X-Gm-Message-State: AJcUukejahuTb0d32dhF2xFdOsN+KFOaPTnVrP94Yc9TiXKmguAAY2lz SJfs+fAfixCpHgr0o56S/vg0SbHdV7sYwLfQr8usfw== X-Received: by 2002:a67:c104:: with SMTP id d4mr21961178vsj.171.1546634495753; Fri, 04 Jan 2019 12:41:35 -0800 (PST) MIME-Version: 1.0 References: <20181219071420.GC2628@infradead.org> <20181219021953.GD31274@dastard> <20181219193005.GB6889@mit.edu> <20181219213552.GO6311@dastard> <20181220220158.GC2360@mit.edu> <20181221070447.GA21687@infradead.org> <20181221154714.GA26547@mit.edu> <20181222041712.GC26547@mit.edu> <20181223041007.GL10600@bombadil.infradead.org> <20181223044553.GG26547@mit.edu> In-Reply-To: <20181223044553.GG26547@mit.edu> From: Daniel Colascione Date: Fri, 4 Jan 2019 12:41:24 -0800 Message-ID: Subject: Re: [PATCH v2 01/12] fs-verity: add a documentation file To: "Theodore Y. Ts'o" , Matthew Wilcox , Linus Torvalds , Christoph Hellwig , Dave Chinner , "Darrick J. Wong" , Eric Biggers , linux-fscrypt@vger.kernel.org, linux-fsdevel , linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-integrity@vger.kernel.org, Linux List Kernel Mailing , Jaegeuk Kim , Victor Hsieh , Chandan Rajendra Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Dec 22, 2018 at 8:46 PM Theodore Y. Ts'o wrote: > > On Sat, Dec 22, 2018 at 08:10:07PM -0800, Matthew Wilcox wrote: > > Pretty much every file format has the ability to put arbitrary blocks > > of information into a file somewhere the tools which don't know about > > it will skip it. For example, ZIP "includes an extra field facility > > within file headers, which can be used to store extra data not defined > > by existing ZIP specifications, and which allow compliant archivers tha= t > > do not recognize the fields to safely skip them. Header IDs 0=E2=80=933= 1 are > > reserved for use by PKWARE. The remaining IDs can be used by third-part= y > > vendors for proprietary usage. " (Wikipedia) > > > > ELF, PNG, PDF and many other formats have the ability to put data > > _somewhere_. It might not be at the tail of the file, but there's > > somewhere to do it. > > > > (I appreciate this isn't what Linus is asking for, but I'm pointing out > > that this is by no means as intractable as you make it sound.) > > That design would require the fs-verity code to know the type of eacho > file, and where to find the in-band Merkle tree for each file type > that we wanted to support. And if you wanted to use fs-verity to > protect a sudoers text configuration file (for example), we'd have to > teach sudo how to ignore the userspace visible Merkle tree. I'm pretty late to the game, but I just want to bring up one approach that I'm not sure people have previously considered. You can't put the verification blob in an xattr due to xattr size limits, but you *can* put a filename in an xattr. What if, at open time, fs-verity looked for a specially-named xattr attached to a file, resolved that name like a symlink target, opened the pointed-to file, and just used *that* as the authentication blob? It'd also be possible to teach unlink to delete the pointed-to file when the pointer file is deleted --- sort of like a simple and stupid kind of data fork. For example, if you wanted to secure /usr/bin/emacs, you could set an security.fsverify.verification_file xattr (in the system namespace because the xattr has special semantics) to "/.verification-blobs/@usr@bin@emacs.hashtree" or something like that. Then, open(2) on /usr/bin/emacs would, internally to VFS, also open /.verification-blobs/@usr@bin@emacs.hashtree and read verification data from it, transparently to both users and the underlying filesystem. If someone deleted /usr/bin/emacs, VFS would automatically delete /.verification-blobs/@usr@bin@emacs.hashtree. If /.verification-blobs/@usr@bin@emacs.hashtree didn't exist at time of open(2) of /usr/bin/emacs, or couldn't be opened for whatever reason, the open(2) of /usr/bin/emacs would fail. ISTM that a scheme like this would give you some of the advantages of jumbo xattrs, but with much less implementation complexity. If someone's proposed something like this before, sorry for the noise.