Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp2245213rwl; Thu, 6 Apr 2023 07:44:06 -0700 (PDT) X-Google-Smtp-Source: AKy350YGWc/SZnSmYjzKnYVbFNMpQC4A0l1xn09QvPJSbN7fI8elImO3jHoUqtLTXv/i+7tZpAPP X-Received: by 2002:a17:906:b293:b0:947:71bf:ca19 with SMTP id q19-20020a170906b29300b0094771bfca19mr6899820ejz.65.1680792246027; Thu, 06 Apr 2023 07:44:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680792246; cv=none; d=google.com; s=arc-20160816; b=NXMzo4KQlF+4GpUCoNhSas16xNxr13v6yMafep/mfL+v5ey4JS9NvzTBzFrPg77vXz Dd2AmKMgR+9MOifaYmmXexisfOaI1wfKmUIKSLnimiilQ7sEMN8147X/9jrveAZwMjXT lFpB2hbe/u0PGuQ/IJAUxYR8c1krR/uDUEq5r3T4pkmPD6adBRqavyLwOdhWc3kzipoq iMLSbtgfBUc2KVXwpRVY46EULafEskRjodMKlqX1Jpk3IED1HPHixXg60eThIctWO2Ee wYhu4Pt/jAdvcFbati1CZ4TtLq6zORTxtYhO7FHIrz/7S98oMIu5ExKO3xNFDUnBdArI 8zUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=lNx+MpJaLafLCN78HnmInCHHb+TFh8dvtnnKiIxs/Rk=; b=RdxMgksApY8oMB9H4zpv3ZnwrG1U1U0lfzHnquubU5mKh3MyY638h7/XjOSwuYdDeb torh+eqMp+geak266IzAcDHiUetn/WGcnUg1blhFOP3vuZ4yIX1a4hA4W/+DM3PZpGR1 U5f5ergFNjv29B67Vi825hVK6muMd04VDROBQCBkB/NndR5mOaPWiXTO4MKZl1VHTXRp IshXlXVSgpFQfderhoLtT90wdJsiOuCxWQQlnrpWvLzt9M+e+cv20rc9tVtL6Ww8LpK3 f8eP5WS+hPCb0W4XCHgVikj+qzVAjx6nQXZAGy6086jPfj/ftOseYDNjbXqFGDJLRiXW U6Ag== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=fsOi3sHh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id jr6-20020a170906a98600b0093e277f4cc2si1123596ejb.429.2023.04.06.07.43.41; Thu, 06 Apr 2023 07:44:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=fsOi3sHh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239205AbjDFOjT (ORCPT + 99 others); Thu, 6 Apr 2023 10:39:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33738 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239148AbjDFOiy (ORCPT ); Thu, 6 Apr 2023 10:38:54 -0400 Received: from mail-yb1-xb30.google.com (mail-yb1-xb30.google.com [IPv6:2607:f8b0:4864:20::b30]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 08034D31D for ; Thu, 6 Apr 2023 07:36:52 -0700 (PDT) Received: by mail-yb1-xb30.google.com with SMTP id f188so27893117ybb.3 for ; Thu, 06 Apr 2023 07:36:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1680791812; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=lNx+MpJaLafLCN78HnmInCHHb+TFh8dvtnnKiIxs/Rk=; b=fsOi3sHhMHJH7RJSIdZbBRS/H8CzrE8wq69/k/j7gKLgbFakhpQVMfB0DIuWL9wMwU vK80y6zlprjbRT3zeH6iFk0X4MwNiNIc7iGIsUilciv5CY3kj6zukLI/otspBOlPpiLm qdvFZaTZMOl/OUEr3bttcVNZ/u2hwIPBQ5Gq4P/As986XIMIZCVl+qrjcg0kZtF8buTf JtD1LJYyqalpfBSUZmHqnVewlrP2ryZS75lc+0OmQk2H5qp0GkkPYoq7mRnx7b7UevMM Nc+rwR1CzkKxtOvK4fETiuks/W2Jl1THnbtzFDFNwvyUFyTQkZPN+JBiKA0vz2oiQo63 9viA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680791812; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lNx+MpJaLafLCN78HnmInCHHb+TFh8dvtnnKiIxs/Rk=; b=Wkei5eHsDp5fHDEw/uFVa1Jevz8rg9lhE2R4DqLLoTjIkaEDkJgPlUikpgH9NiqHYF DssldC7yrM84pxRtBOedZwuoPCJdfl2d854GppZrl5ka7URA0AbwKxHrDEiOnlurUx0r rA36vr8IjtvckJl5dA5aImrptBazfnzjviNDIXe2wSMr3xlDesdKaGymKFMisKmhQxxc khTxYDhYjYW/0DZptotqpbTEpJiJ8g7+pURM73BCkJxUqKr/mFHjT33FzZldQ5SMD0Yb zY8bQY5OhhhwhmGxKf3aN34iQw1wMmqJPcxocti1PFM322HYIqY/TQBH2/Fqzl2o4EuA w50Q== X-Gm-Message-State: AAQBX9doja3yIv9TXdpxnap8FZNBdeqpV9w/iFsF8+aYY/qPaiz2Mt+U SlG2fQR71s1lgiMK8cLSQk5ormS4Dd79wEHE/8JD X-Received: by 2002:a25:cc42:0:b0:b76:ceb2:661b with SMTP id l63-20020a25cc42000000b00b76ceb2661bmr2229794ybf.3.1680791812031; Thu, 06 Apr 2023 07:36:52 -0700 (PDT) MIME-Version: 1.0 References: <20230405171449.4064321-1-stefanb@linux.ibm.com> <20230406-diffamieren-langhaarig-87511897e77d@brauner> In-Reply-To: From: Paul Moore Date: Thu, 6 Apr 2023 10:36:41 -0400 Message-ID: Subject: Re: [PATCH] overlayfs: Trigger file re-evaluation by IMA / EVM after writes To: Stefan Berger Cc: Christian Brauner , zohar@linux.ibm.com, linux-integrity@vger.kernel.org, miklos@szeredi.hu, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-unionfs@vger.kernel.org, amir73il@gmail.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 6, 2023 at 10:20=E2=80=AFAM Stefan Berger wrote: > On 4/6/23 10:05, Paul Moore wrote: > > On Thu, Apr 6, 2023 at 6:26=E2=80=AFAM Christian Brauner wrote: > >> On Wed, Apr 05, 2023 at 01:14:49PM -0400, Stefan Berger wrote: > >>> Overlayfs fails to notify IMA / EVM about file content modifications > >>> and therefore IMA-appraised files may execute even though their file > >>> signature does not validate against the changed hash of the file > >>> anymore. To resolve this issue, add a call to integrity_notify_change= () > >>> to the ovl_release() function to notify the integrity subsystem about > >>> file changes. The set flag triggers the re-evaluation of the file by > >>> IMA / EVM once the file is accessed again. > >>> > >>> Signed-off-by: Stefan Berger > >>> --- > >>> fs/overlayfs/file.c | 4 ++++ > >>> include/linux/integrity.h | 6 ++++++ > >>> security/integrity/iint.c | 13 +++++++++++++ > >>> 3 files changed, 23 insertions(+) > >>> > >>> diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c > >>> index 6011f955436b..19b8f4bcc18c 100644 > >>> --- a/fs/overlayfs/file.c > >>> +++ b/fs/overlayfs/file.c > >>> @@ -13,6 +13,7 @@ > >>> #include > >>> #include > >>> #include > >>> +#include > >>> #include "overlayfs.h" > >>> > >>> struct ovl_aio_req { > >>> @@ -169,6 +170,9 @@ static int ovl_open(struct inode *inode, struct f= ile *file) > >>> > >>> static int ovl_release(struct inode *inode, struct file *file) > >>> { > >>> + if (file->f_flags & O_ACCMODE) > >>> + integrity_notify_change(inode); > >>> + > >>> fput(file->private_data); > >>> > >>> return 0; > >>> diff --git a/include/linux/integrity.h b/include/linux/integrity.h > >>> index 2ea0f2f65ab6..cefdeccc1619 100644 > >>> --- a/include/linux/integrity.h > >>> +++ b/include/linux/integrity.h > >>> @@ -23,6 +23,7 @@ enum integrity_status { > >>> #ifdef CONFIG_INTEGRITY > >>> extern struct integrity_iint_cache *integrity_inode_get(struct inod= e *inode); > >>> extern void integrity_inode_free(struct inode *inode); > >>> +extern void integrity_notify_change(struct inode *inode); > >> > >> I thought we concluded that ima is going to move into the security hoo= k > >> infrastructure so it seems this should be a proper LSM hook? > > > > We are working towards migrating IMA/EVM to the LSM layer, but there > > are a few things we need to fix/update/remove first; if anyone is > > curious, you can join the LSM list as we've been discussing some of > > these changes this week. Bug fixes like this should probably remain > > as IMA/EVM calls for the time being, with the understanding that they > > will migrate over with the rest of IMA/EVM. > > > > That said, we should give Mimi a chance to review this patch as it is > > possible there is a different/better approach. A bit of patience may > > be required as I know Mimi is very busy at the moment. > > There may be a better approach actually by increasing the inode's i_versi= on, > which then should trigger the appropriate path in ima_check_last_writer()= . I'm not the VFS/inode expert here, but I thought the inode's i_version field was only supposed to be bumped when the inode metadata changed, not necessarily the file contents, right? That said, overlayfs is a bit different so maybe that's okay, but I think we would need to hear from the VFS folks if this is acceptable. --=20 paul-moore.com