Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp2624351rdb; Fri, 8 Dec 2023 13:55:38 -0800 (PST) X-Google-Smtp-Source: AGHT+IHgNTMLFDSQcxaohgAcKzWj3I6nVipczAr30YcLlKwrc8IEn9guA/kxv8ehIJn10SexTocg X-Received: by 2002:a17:902:9f87:b0:1d0:6ffd:6123 with SMTP id g7-20020a1709029f8700b001d06ffd6123mr850973plq.69.1702072537958; Fri, 08 Dec 2023 13:55:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702072537; cv=none; d=google.com; s=arc-20160816; b=FJS4Ux5sPhfrMXJ8p693tJhc8t2vZTYB3LrIjLiJAn3/sFNP9fqc1IV3128324DAUA VzOSpcZDFYFZQHKsdwyHChkmmBlK3JWJ/0fnPKcHIZ9gxL5hSQLKBgmdM3K0/e6SndZT GLZaWnyG6+ld8vCs9Qd6KcEtKShCxTzJOitXQHsqKpbgdq+a9nDo8RlhNv7Nj8uPJB9X 92FNkfYG/SG3sRGJqeChK5tsIk6KqryLNLVbu3eVnnJzc7jb6binWE+I0E41LF0tajaq XILkdJtVArbbsPc28PsA4t1dpFm17EYbOKEFqlMiAqDRZHH49MXcxFqLmofTk1J3BryJ FFNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=0V8vWGz5/dJUjY/urBndjDFSG8k8j3bSatsr73/t6EE=; fh=zZ6e6RxvYYGJBpc3pKkihQDJeu+xZQdyrY+VmGLzcOc=; b=SQhtzwdsCr1cSspAeZoLQI1pkLUU95wg2FLJkiQwdtk59PJC062BjHz9RFJpoS602F ka2txiBdE/7VOv5MBb/eCVHfADBxaUDrWyUyu/N1hyF+nx7Ar055u2Y2QMO8GSCedN4K qBK5xKr2Ak1QB1So48D8DahZ1oYFyCXCp1H0FufKRDQ6YCjSBiHDEZ5bU23GPm3hgtKO lgHRfSWoWG1TFgFYvMjfJzIEePLwuw0ARRjMy+II2bgAcJfBmwASkSmQH8iX0Jdlth/N gyGDwqHb30bIJCp6muG7QOcuxrql9DRa3kAg8ro/H5zdB1fZK8H/UAUC3StZRIW+w1le fI0Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=hOtIDtz1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id bh8-20020a170902a98800b001cc23d2bb92si2030573plb.650.2023.12.08.13.55.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 Dec 2023 13:55:37 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=hOtIDtz1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 13B74810681F; Fri, 8 Dec 2023 13:55:36 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229826AbjLHVz0 (ORCPT + 99 others); Fri, 8 Dec 2023 16:55:26 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59726 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229572AbjLHVzZ (ORCPT ); Fri, 8 Dec 2023 16:55:25 -0500 Received: from mail-qv1-xf2b.google.com (mail-qv1-xf2b.google.com [IPv6:2607:f8b0:4864:20::f2b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AD87D10E0; Fri, 8 Dec 2023 13:55:31 -0800 (PST) Received: by mail-qv1-xf2b.google.com with SMTP id 6a1803df08f44-67abd020f40so28588336d6.0; Fri, 08 Dec 2023 13:55:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702072531; x=1702677331; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=0V8vWGz5/dJUjY/urBndjDFSG8k8j3bSatsr73/t6EE=; b=hOtIDtz1ZUhqEfusq1DOleorOM58PdS/D8tWn0hRaIp+1Q7kQka7Bt3bcdQmRV+oVY rY23hTHghxKr1dCxnwCLznOv4QZjYfqgrsHPxRaoKFH05zpe7byB0+v/Q47Jsawqs8qv Ko6B73Bvn8QhjVqluvoZ4X/yuuUOFJNxidgiz2NTEavgeJMipoalcUijDUSgR6QG1u9o /atqaagM2uvzWw7zl9yghPxVE0kaqYTzlaREj6Bu24c7bcsr4ZdIGgJqxcG4K9qKN4Th 5qk36ZoiRgtQpiNJb4YUSU70VLrcv9qqD/r71z95/H6qKhI2qzJeiIn52g1AwpgiR5mG T18g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702072531; x=1702677331; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0V8vWGz5/dJUjY/urBndjDFSG8k8j3bSatsr73/t6EE=; b=optTXUfRmmz/yUKRGxpE9oL8osHQ7V3vbfdnD7gSMeu2k6r91bR5+F2Z6IWIzVFNHV 0AsmAy2ic8XcXL4sbERBMECJukNnkoeAPZply3dDYXogP6w/vjKAt8h5rVhIhm2tDMRJ IALoYFE6C4AK9nf7UucS0NljcXuiStT6ed0dTYx8U59tDFOg3kYmj+wGLWc2x/heGKm6 4gC0+QEJ0wWOR57vyW4wxyrdXhDdIhwN38mKioV4dxPRdJgCntkRbX9aniBnEot6Rifm 7vhWYp2n91GNyq2hQ/C9ID8Rf2y2SEG64QAc0CvRjwCG1fWummpCA+EtOfQ+6NJ8Obk0 bPYQ== X-Gm-Message-State: AOJu0YyXN31k1B6NkDQREwDRX7G5Zwrwu+v9lRDZ7ClWAgtpIlGSvIX3 Pmm108MMVO7KIF+tPmQiBYTrb7FzQuqy5NMLprg= X-Received: by 2002:a0c:fc47:0:b0:67a:ceb0:6161 with SMTP id w7-20020a0cfc47000000b0067aceb06161mr1365436qvp.53.1702072530813; Fri, 08 Dec 2023 13:55:30 -0800 (PST) MIME-Version: 1.0 References: <20231208172308.2876481-1-roberto.sassu@huaweicloud.com> In-Reply-To: <20231208172308.2876481-1-roberto.sassu@huaweicloud.com> From: Amir Goldstein Date: Fri, 8 Dec 2023 23:55:19 +0200 Message-ID: Subject: Re: [RFC][PATCH] overlayfs: Redirect xattr ops on security.evm to security.evm_overlayfs To: Roberto Sassu Cc: miklos@szeredi.hu, linux-unionfs@vger.kernel.org, linux-kernel@vger.kernel.org, zohar@linux.ibm.com, paul@paul-moore.com, stefanb@linux.ibm.com, jlayton@kernel.org, brauner@kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, Roberto Sassu Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Fri, 08 Dec 2023 13:55:36 -0800 (PST) On Fri, Dec 8, 2023 at 7:25=E2=80=AFPM Roberto Sassu wrote: > > From: Roberto Sassu > > EVM updates the HMAC in security.evm whenever there is a setxattr or > removexattr operation on one of its protected xattrs (e.g. security.ima). > > Unfortunately, since overlayfs redirects those xattrs operations on the > lower filesystem, the EVM HMAC cannot be calculated reliably, since lower > inode attributes on which the HMAC is calculated are different from upper > inode attributes (for example i_generation and s_uuid). > > Although maybe it is possible to align such attributes between the lower > and the upper inode, another idea is to map security.evm to another name > (security.evm_overlayfs) If we were to accept this solution, this will need to be trusted.overlay.ev= m to properly support private overlay xattr escaping. > during an xattr operation, so that it does not > collide with security.evm set by the lower filesystem. You are using wrong terminology and it is very confusing to me. see the overlay mount command has lowerdir=3D and upperdir=3D. Seems that you are using lower filesystem to refer to the upper fs and upper filesystem to refer to overlayfs. > > Whenever overlayfs wants to set security.evm, it is actually setting > security.evm_overlayfs calculated with the upper inode attributes. The > lower filesystem continues to update security.evm. > I understand why that works, but I am having a hard time swallowing the solution, mainly because I feel that there are other issues on the intersection of overlayfs and IMA and I don't feel confident that this addresses them all. If you want to try to convince me, please try to write a complete model of how IMA/EVM works with overlayfs, using the section "Permission model" in Documentation/filesystems/overlayfs.rst as a reference. Thanks, Amir.