Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp2201083rwl;
        Thu, 6 Apr 2023 07:10:58 -0700 (PDT)
X-Google-Smtp-Source: AKy350a+fq3lDv6XyEYN+b+lHuTSn6FliE31Blix8Rt9rDgiqAQiMUi1FouIYhyVFMjl7Aj5YDhe
X-Received: by 2002:a17:906:f104:b0:932:10bf:ec4d with SMTP id gv4-20020a170906f10400b0093210bfec4dmr6449451ejb.25.1680790258431;
        Thu, 06 Apr 2023 07:10:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1680790258; cv=none;
        d=google.com; s=arc-20160816;
        b=IsOV7nHYS0gbg/Rh01LbTEiLmApSbmTDJgx982QKS115lAhiaziB+7SvaEbq34+hEu
         cNwCB9PmFaO4YDGSmaJA3p+bCtP+WQPAv1w3IO4eRzQVsjTO85QKNhJfpiWl3xpznILW
         NfXU2WIKjxrO49saU7wo1+ItPCy2AUAZNP34h9aR8KSfNOZDvKknag9dAyQTujJvA7iG
         BXaXYFqeM/Wro7PiGBJFNsThbk93ZxgNdl+3/qMToA7UZeto4WxJPkfqK4ni9MUK9OfJ
         SnylJG0AcMmJf0Rx5A9+i4idB/KUbpwEKF5GRmZ2pYH8O/OCM64MwQsQIfWhzQr6z+me
         XUMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=kZEFn8PqM4Q3KLpypvlzmI9JPAeXdYTlS1j5GPFBpkw=;
        b=OsK3bx5E0jxGyu/aS7aSLKGG2oZS2LgpjIHFhzVEr5EBseefNeQTGfd5snT2JiTNuy
         CeCQtzsu9RNxKkO6qelTwNfnoFLkiDLsRE1BiEstm9rcydjw0dQ45jjoFCRVwQihiP6N
         6AKmFUOR1tJpsEU2Gw0vd8XZmil5zGVr7+MCWvgmpvWWe+5811N6kxLgA6w96zazg9lL
         iXpvqs0iI9nXMiA3uBLMqFiZfP+QyYkss6AXYUfyeJOR6MiCeFDWwNR4wZjEKbW0KiqK
         vqFQJFsAwmbCI1lW6B/+qc9CA4DnDhMmkhhAV3R91D3DDDKZv6cKgSwxVfUB8jXsO53Q
         vrQw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore.com header.s=google header.b=CO0rDtMB;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id y18-20020a1709064b1200b0094964d2651bsi1187017eju.806.2023.04.06.07.10.07;
        Thu, 06 Apr 2023 07:10:58 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore.com header.s=google header.b=CO0rDtMB;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238699AbjDFOGz (ORCPT <rfc822;anuragsharmaalwar@gmail.com>
        + 99 others); Thu, 6 Apr 2023 10:06:55 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48192 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S239047AbjDFOGl (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 6 Apr 2023 10:06:41 -0400
Received: from mail-yw1-x112e.google.com (mail-yw1-x112e.google.com [IPv6:2607:f8b0:4864:20::112e])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7AADFA265
        for <linux-kernel@vger.kernel.org>; Thu,  6 Apr 2023 07:06:15 -0700 (PDT)
Received: by mail-yw1-x112e.google.com with SMTP id 00721157ae682-545e907790fso625637227b3.3
        for <linux-kernel@vger.kernel.org>; Thu, 06 Apr 2023 07:06:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore.com; s=google; t=1680789970;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=kZEFn8PqM4Q3KLpypvlzmI9JPAeXdYTlS1j5GPFBpkw=;
        b=CO0rDtMBX7GxOqle4zRutsOkQkDOUCYVLrL8Wfl77EmWXDuiIvcV+YrqMQOLYbhGJ+
         aNyRDlyf8vIHKDRfku61g+CnhNo4prUodDSPYHEdO6Rqb+euL64lB2w74SASMMbOXbEI
         7b9EPPSj4LGkaUX0dAKzifQXQuTiLmDuMSnPBSk5sx3St2174+72Cx9KmolQmKVe/lHz
         iQYoYFMAEMlsQXzq/B4lhEHatZGMDV5tyVdaEiCwHpukGcNB+XBivt6hrR/2HTVTCm9K
         NyZOrZIioxAPuyfwe9MAFM89k657qhB1ihrrd4GG4ywF8jQ2YhOXnz1uGhiDkjQuMPhw
         StEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112; t=1680789970;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=kZEFn8PqM4Q3KLpypvlzmI9JPAeXdYTlS1j5GPFBpkw=;
        b=Z5bbjE8N6H9xWrimizJORtQA7K4NeuqrgBTm8HNYNfEpLrqdqeCm2oTg1+Ghu0c89F
         o3bre74+DnTf2PQyRC+z48Vx5Bo4ocbKvxciCjl1UDJ1gfaF2+X8qmCNIJiA/EMvUY7L
         ZoSyDId6gfFMs/qsWbM6pqVZ7BhGzjVvXaOqdxQzokf4UJcrmaN1+e06Ytsj7LFxjc7E
         Nvo/t3/5RENW5QIVR5W8exMc2R8lEnz3qY8w5pGN7rH9/ejAegw1MZq893q0Dvf+qyYE
         2FnUyfCwrJaN7aNbcNdpVS/9A5MKuy1EOE/a6sLP7QZsPyhl3O7mDC+kkY14Us17kA3i
         v+Pg==
X-Gm-Message-State: AAQBX9foLVwvivmHx687LgwJbLAwwQWOO0LcEcmu8IuiMMVw4+F30mCW
        h/sZieesGuBKk7d114JJJcREpiw4ubD3/p1A7HcF
X-Received: by 2002:a81:4513:0:b0:544:d5ce:eb33 with SMTP id
 s19-20020a814513000000b00544d5ceeb33mr5955389ywa.8.1680789970528; Thu, 06 Apr
 2023 07:06:10 -0700 (PDT)
MIME-Version: 1.0
References: <20230405171449.4064321-1-stefanb@linux.ibm.com> <20230406-diffamieren-langhaarig-87511897e77d@brauner>
In-Reply-To: <20230406-diffamieren-langhaarig-87511897e77d@brauner>
From:   Paul Moore <paul@paul-moore.com>
Date:   Thu, 6 Apr 2023 10:05:59 -0400
Message-ID: <CAHC9VhQsnkLzT7eTwVr-3SvUs+mcEircwztfaRtA+4ZaAh+zow@mail.gmail.com>
Subject: Re: [PATCH] overlayfs: Trigger file re-evaluation by IMA / EVM after writes
To:     Christian Brauner <brauner@kernel.org>,
        Stefan Berger <stefanb@linux.ibm.com>
Cc:     zohar@linux.ibm.com, linux-integrity@vger.kernel.org,
        miklos@szeredi.hu, linux-kernel@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-fsdevel@vger.kernel.org, linux-unionfs@vger.kernel.org,
        amir73il@gmail.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
        DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS
        autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Apr 6, 2023 at 6:26=E2=80=AFAM Christian Brauner <brauner@kernel.or=
g> wrote:
> On Wed, Apr 05, 2023 at 01:14:49PM -0400, Stefan Berger wrote:
> > Overlayfs fails to notify IMA / EVM about file content modifications
> > and therefore IMA-appraised files may execute even though their file
> > signature does not validate against the changed hash of the file
> > anymore. To resolve this issue, add a call to integrity_notify_change()
> > to the ovl_release() function to notify the integrity subsystem about
> > file changes. The set flag triggers the re-evaluation of the file by
> > IMA / EVM once the file is accessed again.
> >
> > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > ---
> >  fs/overlayfs/file.c       |  4 ++++
> >  include/linux/integrity.h |  6 ++++++
> >  security/integrity/iint.c | 13 +++++++++++++
> >  3 files changed, 23 insertions(+)
> >
> > diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
> > index 6011f955436b..19b8f4bcc18c 100644
> > --- a/fs/overlayfs/file.c
> > +++ b/fs/overlayfs/file.c
> > @@ -13,6 +13,7 @@
> >  #include <linux/security.h>
> >  #include <linux/mm.h>
> >  #include <linux/fs.h>
> > +#include <linux/integrity.h>
> >  #include "overlayfs.h"
> >
> >  struct ovl_aio_req {
> > @@ -169,6 +170,9 @@ static int ovl_open(struct inode *inode, struct fil=
e *file)
> >
> >  static int ovl_release(struct inode *inode, struct file *file)
> >  {
> > +     if (file->f_flags & O_ACCMODE)
> > +             integrity_notify_change(inode);
> > +
> >       fput(file->private_data);
> >
> >       return 0;
> > diff --git a/include/linux/integrity.h b/include/linux/integrity.h
> > index 2ea0f2f65ab6..cefdeccc1619 100644
> > --- a/include/linux/integrity.h
> > +++ b/include/linux/integrity.h
> > @@ -23,6 +23,7 @@ enum integrity_status {
> >  #ifdef CONFIG_INTEGRITY
> >  extern struct integrity_iint_cache *integrity_inode_get(struct inode *=
inode);
> >  extern void integrity_inode_free(struct inode *inode);
> > +extern void integrity_notify_change(struct inode *inode);
>
> I thought we concluded that ima is going to move into the security hook
> infrastructure so it seems this should be a proper LSM hook?

We are working towards migrating IMA/EVM to the LSM layer, but there
are a few things we need to fix/update/remove first; if anyone is
curious, you can join the LSM list as we've been discussing some of
these changes this week.  Bug fixes like this should probably remain
as IMA/EVM calls for the time being, with the understanding that they
will migrate over with the rest of IMA/EVM.

That said, we should give Mimi a chance to review this patch as it is
possible there is a different/better approach.  A bit of patience may
be required as I know Mimi is very busy at the moment.

--=20
paul-moore.com