Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA094C636CC for ; Tue, 31 Jan 2023 11:33:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230344AbjAaLdQ (ORCPT ); Tue, 31 Jan 2023 06:33:16 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34690 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230132AbjAaLdM (ORCPT ); Tue, 31 Jan 2023 06:33:12 -0500 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 46B594AA7F; Tue, 31 Jan 2023 03:32:28 -0800 (PST) Received: from pps.filterd (m0127361.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 30VARSXR031547; Tue, 31 Jan 2023 11:32:09 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : subject : from : to : cc : date : in-reply-to : references : content-type : mime-version : content-transfer-encoding; s=pp1; bh=QDH1LT0pPC43JQfZiLTfm89mEd2bhyJeJF13YAeb7qk=; b=MMxnz7oBOiJTG6usma+/4pO0r6W+YhG547qXCNfjA8UhvnJtiyzvYqF5n6FJ1+7styDT zGPwMUryFlhHT6mSPEkVWn6WKcaQ4gSplbA52YxfDxc0FBWND8i9Ofcd5hykrDE74nAT uukVmj99qe96oYMq4HNuYF5gRXvLOT9gtbtvXI0pcZ0lCCdJ1eaf9hL936U6IiRajiYl 5eRK4phya5BO2TaLijbm18JqJNFGeuvAK8LIb5JNBQNMtC/oBTKmuMBx0oassYFIwK0F z7uk2HFZ1tp85bgVzqaYc5sy+JJVpP9mQJfceP6hsz1thPbMS3o4NBVMRh5M9MQzBQUS Ew== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3nf18k9h2a-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 31 Jan 2023 11:32:09 +0000 Received: from m0127361.ppops.net (m0127361.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 30VAuU25001653; Tue, 31 Jan 2023 11:32:05 GMT Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3nf18k9h13-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 31 Jan 2023 11:32:05 +0000 Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1]) by ppma04dal.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 30VA7aQ7008390; Tue, 31 Jan 2023 11:31:58 GMT Received: from smtprelay07.dal12v.mail.ibm.com ([9.208.130.99]) by ppma04dal.us.ibm.com (PPS) with ESMTPS id 3ncvw2kpf6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 31 Jan 2023 11:31:58 +0000 Received: from smtpav05.wdc07v.mail.ibm.com (smtpav05.wdc07v.mail.ibm.com [10.39.53.232]) by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 30VBVvPG28377788 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 31 Jan 2023 11:31:57 GMT Received: from smtpav05.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 765D058043; Tue, 31 Jan 2023 11:31:57 +0000 (GMT) Received: from smtpav05.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4F99058053; Tue, 31 Jan 2023 11:31:56 +0000 (GMT) Received: from li-f45666cc-3089-11b2-a85c-c57d1a57929f.ibm.com (unknown [9.160.114.140]) by smtpav05.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 31 Jan 2023 11:31:56 +0000 (GMT) Message-ID: <1c7d861a143106e56cfe382d1ab6c293fa43aff1.camel@linux.ibm.com> Subject: Re: [PATCH -next] evm: Use __vfs_setxattr() to update security.evm From: Mimi Zohar To: "Guozihua (Scott)" , Xiu Jianfeng , dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Date: Tue, 31 Jan 2023 06:31:55 -0500 In-Reply-To: References: <20221228030248.94285-1-xiujianfeng@huawei.com> <3c34c1e8c74722110e5d7e87146b090791734916.camel@linux.ibm.com> Content-Type: text/plain; charset="ISO-8859-15" X-Mailer: Evolution 3.28.5 (3.28.5-18.el8) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 X-Proofpoint-GUID: k1J4jdshPFAghjaFNQUhFJk--GXo2MFR X-Proofpoint-ORIG-GUID: e4R8ym3jzWQSeWxpdSHIOD22Jn58m8re X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-01-31_05,2023-01-31_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 bulkscore=0 clxscore=1015 malwarescore=0 adultscore=0 suspectscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 spamscore=0 priorityscore=1501 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2301310102 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2023-01-30 at 09:53 +0800, Guozihua (Scott) wrote: > On 2023/1/19 5:45, Mimi Zohar wrote: > > On Wed, 2022-12-28 at 11:02 +0800, Xiu Jianfeng wrote: > >> Currently it uses __vfs_setxattr_noperm() to update "security.evm", > >> however there are two lsm hooks(inode_post_setxattr and inode_setsecurity) > >> being called inside this function, which don't make any sense for xattr > >> "security.evm", because the handlers of these two hooks, such as selinux > >> and smack, only care about their own xattr. > > > > Updating the security.ima hash triggers re-calculating and writing the > > security.evm HMAC. Refer to evm_inode_post_setxattr(). > > Hi Mimi, > > I believe what Jianfeng is trying to do is to avoid re-triggering > security_inode_post_setxattr if we are updating security.evm. I can't > think of any other xattr that could "absorb" security.evm. I understand. Comments below ... > > > >> > >> On the other hand, there is a literally rather than actually cyclical > >> callchain as follows: > >> security_inode_post_setxattr > >> ->evm_inode_post_setxattr > >> ->evm_update_evmxattr > >> ->__vfs_setxattr_noperm > >> ->security_inode_post_setxattr > >> > >> So use __vfs_setxattr() to update "security.evm". > >> > >> Signed-off-by: Xiu Jianfeng > >> --- > >> security/integrity/evm/evm_crypto.c | 7 +++---- > >> security/integrity/ima/ima_appraise.c | 8 ++++---- > >> 2 files changed, 7 insertions(+), 8 deletions(-) > >> > >> diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c > >> index fa5ff13fa8c9..d8275dfa49ef 100644 > >> --- a/security/integrity/evm/evm_crypto.c > >> +++ b/security/integrity/evm/evm_crypto.c > >> @@ -376,10 +376,9 @@ int evm_update_evmxattr(struct dentry *dentry, const char *xattr_name, > >> xattr_value_len, &data); > >> if (rc == 0) { > >> data.hdr.xattr.sha1.type = EVM_XATTR_HMAC; > >> - rc = __vfs_setxattr_noperm(&init_user_ns, dentry, > >> - XATTR_NAME_EVM, > >> - &data.hdr.xattr.data[1], > >> - SHA1_DIGEST_SIZE + 1, 0); > >> + rc = __vfs_setxattr(&init_user_ns, dentry, d_inode(dentry), > >> + XATTR_NAME_EVM, &data.hdr.xattr.data[1], > >> + SHA1_DIGEST_SIZE + 1, 0); Although __vfs_setxattr_noperm() doesn't do any permission checking, it does other things - make sure the filesystem supports writing xattrs, calls fsnotify_xattr(). > >> } else if (rc == -ENODATA && (inode->i_opflags & IOP_XATTR)) { > >> rc = __vfs_removexattr(&init_user_ns, dentry, XATTR_NAME_EVM); > >> } > >> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c > >> index ee6f7e237f2e..d2de9dc6c345 100644 > >> --- a/security/integrity/ima/ima_appraise.c > >> +++ b/security/integrity/ima/ima_appraise.c > >> @@ -98,10 +98,10 @@ static int ima_fix_xattr(struct dentry *dentry, > >> iint->ima_hash->xattr.ng.type = IMA_XATTR_DIGEST_NG; > >> iint->ima_hash->xattr.ng.algo = algo; > >> } > >> - rc = __vfs_setxattr_noperm(&init_user_ns, dentry, XATTR_NAME_IMA, > >> - &iint->ima_hash->xattr.data[offset], > >> - (sizeof(iint->ima_hash->xattr) - offset) + > >> - iint->ima_hash->length, 0); > >> + rc = __vfs_setxattr(&init_user_ns, dentry, d_inode(dentry), > >> + XATTR_NAME_IMA, &iint->ima_hash->xattr.data[offset], > >> + (sizeof(iint->ima_hash->xattr) - offset) + > >> + iint->ima_hash->length, 0); To clarify, ima_fix_xattr() is either directly called when in "fix" mode or from ima_update_xattr(). With this change, the recalculated file hash would be written to security.ima, but security.evm would not be updated. > >> return rc; > >> } -- thanks, Mimi