Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp3819456pxb; Tue, 17 Nov 2020 04:32:53 -0800 (PST) X-Google-Smtp-Source: ABdhPJxdSMVab3lAW7fcQrMwvzTFqBvJcy2TWMx9vYbO43s7qQV4SqAWLN/RH4IW9TjfTFpR2lJh X-Received: by 2002:a17:906:6b82:: with SMTP id l2mr18555694ejr.241.1605616373079; Tue, 17 Nov 2020 04:32:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605616373; cv=none; d=google.com; s=arc-20160816; b=th/1TkO6xlmw6V4a+hOxzRuejUbd+NP9JNvHo6zkAssOjM/qeJJaIK29RSaTkR+hqT +6D4w9wHn4t01lbUnoz2p8wZPA0ZBtX7Dk2aGZ4tQNJSXM9TOG+7Ob944Ej/issatAHX zWUB56k21hnKzIsbhW/tc3/yVTXBUbsmsUfYOl5XJ1v6YLCsl9P7A89iqf9Tc0GwRh2e TPBj3gzNKzGUdDdTlE9zvBsVaJqsA4omusIdlivymtP0sVm1o1GNPMTqEUWt8C8LA0S4 4t3qn2kTFYOQ1pFBqH8+GPUk6Czagp5O6PhLy9x0PzUfA4cqI2LCNSzIl/Puv2Pym+Pm x34w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:cc:to:from; bh=jpsS7psxfsWo80jhYOOO1nAAqah8O6laJummPfeURaM=; b=h2KFkbGZL1HCvte9CuPhg+6rLjoH8qTli6WlAVKfBviwZJB0YFoUkho2KwdMEy6gcy 2N0qxF6ewJl/+uby8B5fd7pnVjG9qSzNrZQXlE0eY5aQrB8qxXtH7Tc0BHKoVldjIhdI 0DZ3SdlME49+LJjIKnIVGLbb+yn7UgWoFUzZvWu5D9CnidXSmXQ+A1+RFQT4hLxUeNvu TT0aQDNwZtcLxrY2cdaBWzHekpoDEfN2tcNVi0vcMPgVNLg6gm/3CSsyaHOVYABvrKuf 7QT+L0ORRrBmhRdOBChXVvyXACZS4sec+ycwwUGErYOgEzvyIAEcQGE7RKgnzSOnFPVF Y5nA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id mc11si13502618ejb.154.2020.11.17.04.32.29; Tue, 17 Nov 2020 04:32:53 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727272AbgKQM36 convert rfc822-to-8bit (ORCPT + 99 others); Tue, 17 Nov 2020 07:29:58 -0500 Received: from frasgout.his.huawei.com ([185.176.79.56]:2116 "EHLO frasgout.his.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725355AbgKQM36 (ORCPT ); Tue, 17 Nov 2020 07:29:58 -0500 Received: from fraeml702-chm.china.huawei.com (unknown [172.18.147.207]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Cb4w04p1dz67F1g; Tue, 17 Nov 2020 20:27:44 +0800 (CST) Received: from fraeml714-chm.china.huawei.com (10.206.15.33) by fraeml702-chm.china.huawei.com (10.206.15.51) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1913.5; Tue, 17 Nov 2020 13:29:55 +0100 Received: from fraeml714-chm.china.huawei.com ([10.206.15.33]) by fraeml714-chm.china.huawei.com ([10.206.15.33]) with mapi id 15.01.1913.007; Tue, 17 Nov 2020 13:29:55 +0100 From: Roberto Sassu To: Al Viro , Linus Torvalds CC: Mimi Zohar , Christoph Hellwig , "linux-integrity@vger.kernel.org" , "linux-security-module@vger.kernel.org" , "linux-kernel@vger.kernel.org" , Silviu Vlasceanu , "stable@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" Subject: RE: [RESEND][PATCH] ima: Set and clear FMODE_CAN_READ in ima_calc_file_hash() Thread-Topic: [RESEND][PATCH] ima: Set and clear FMODE_CAN_READ in ima_calc_file_hash() Thread-Index: AQHWuZM+vbqfejrqe02000rC0h3xoqnHabyAgAMLzKCAAG/IAIAABvEAgAAOKACAAAjEgIABPphg Date: Tue, 17 Nov 2020 12:29:55 +0000 Message-ID: <945773097832444ca31847c830b0053c@huawei.com> References: <20201113080132.16591-1-roberto.sassu@huawei.com> <20201114111057.GA16415@infradead.org> <0fd0fb3360194d909ba48f13220f9302@huawei.com> <20201116162202.GA15010@infradead.org> <20201116180855.GX3576660@ZenIV.linux.org.uk> In-Reply-To: <20201116180855.GX3576660@ZenIV.linux.org.uk> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.220.96.108] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > From: Al Viro [mailto:viro@ftp.linux.org.uk] On Behalf Of Al Viro > Sent: Monday, November 16, 2020 7:09 PM > On Mon, Nov 16, 2020 at 09:37:32AM -0800, Linus Torvalds wrote: > > On Mon, Nov 16, 2020 at 8:47 AM Mimi Zohar > wrote: > > > > > > This discussion seems to be going down the path of requiring an IMA > > > filesystem hook for reading the file, again. That solution was > > > rejected, not by me. What is new this time? > > > > You can't read a non-read-opened file. Not even IMA can. > > > > So don't do that then. > > > > IMA is doing something wrong. Why would you ever read a file that can't > be read? > > > > Fix whatever "open" function instead of trying to work around the fact > > that you opened it wrong. > > IMA pulls that crap on _every_ open(2), including O_WRONLY. As far as I'm > concerned, the only sane answer is not enabling that thing on your builds; > they are deeply special and I hadn't been able to reason with them no > matter how much I tried ;-/ A file-based protection mechanism against offline attacks would require to verify the current HMAC also before writing and to update the HMAC after the write. One of the reasons why dentry_open() cannot be used and IMA switches to the old method of changing the mode of the current file descriptor is that the current process does not have enough privileges to do the operation. If we find a way to read the file that always works, without reducing the security, the old method can be removed. Roberto HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Li Jian, Shi Yanli