Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp4052019rdb;
        Mon, 11 Dec 2023 07:36:45 -0800 (PST)
X-Google-Smtp-Source: AGHT+IEaOZKG1BWkrln/l4wX8BlIFlUYO8QYXLPD5yF9ycerjbhF//Uq8GKIOly+vVECfq8sF4+a
X-Received: by 2002:a05:6a20:13cc:b0:18f:fcc5:4c64 with SMTP id ho12-20020a056a2013cc00b0018ffcc54c64mr4938276pzc.67.1702309004934;
        Mon, 11 Dec 2023 07:36:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1702309004; cv=none;
        d=google.com; s=arc-20160816;
        b=pnVrZ7RCFGhdSJ90wgUVQiuLebBbUDXTzOkVJYpcjGW70ucFfvu/YOg9miKaRZC34G
         AHLTjfXENZq8T8pPy2T+9NIN3nzVCA+nLjSGcZ41o2Mo0LjTuKSW0m1FJTxM0Txns6rM
         1UCsnM42TfQlIOm2VSKK2NJa5ruf82kbaFkiEZcaLxZLwzs4G6Oyj6FCKHEZ+Uiz31Oj
         FMUa6+QcUISWYrFQ3rwavxHDkdZKB5uLkB4IZLtlTlYeGyN7Mgn3A3NZgIQanl/hvubq
         NN5Qkypf+IN9qxGusq2OxQUJQRO3vc74kT2XYdStBMQfvaEJHMUGJl2is/Hd9ydjuXRO
         n1/A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=X6a1SQNscykojk3z2YE0sI4yCvlaniPR/kEB+jy4a9E=;
        fh=JKcPRvZPFBOOQ0C7v83zUYql8w6ebVnFbGwq0JS3ivE=;
        b=Qovhi57dYy0U7QQQFSe2HTluekiRFskf69DgVRh7XduM2yRm07KjB24jvzDCXLXNg0
         7iC+I/jgAKrGwVxdMLtN7cqeUol+Qgvu5S/2GThNx2PJnyUbhrCfp9PuUDSg10qQsc03
         aA/kyVDzyYwJaSBHEm94BWRqQ/SeaD/3OqfWHZOsEoNk9ei7jXzNofLQn0qLmtqnGHiZ
         +N514biuJ+3lE1W0O9VQRpjykHRLCg4hn65S0TQTPxnSCJXDVxUguKGmHRys9dRkk0eH
         VUBQW/QCnLzG5BtnLikNveid8fN3tme0zAidFACrGufWOn8wtBJGUP67mf0xHWqeAGe8
         ixdA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=RGlrXRHH;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from pete.vger.email (pete.vger.email. [2620:137:e000::3:6])
        by mx.google.com with ESMTPS id o7-20020a656a47000000b005c1b323da1bsi6516157pgu.695.2023.12.11.07.36.44
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 11 Dec 2023 07:36:44 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) client-ip=2620:137:e000::3:6;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=RGlrXRHH;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by pete.vger.email (Postfix) with ESMTP id 7AD3B80811F0;
	Mon, 11 Dec 2023 07:36:42 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at pete.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1344296AbjLKPg2 (ORCPT
        <rfc822;aditya.jainadityajain.jain@gmail.com> + 99 others);
        Mon, 11 Dec 2023 10:36:28 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38658 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1344386AbjLKPgS (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 11 Dec 2023 10:36:18 -0500
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 24E72E5
        for <linux-kernel@vger.kernel.org>; Mon, 11 Dec 2023 07:36:23 -0800 (PST)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1E5FAC433C7;
        Mon, 11 Dec 2023 15:36:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1702308983;
        bh=1KvwnOdKn846sf3NBCoHv3K2XeZjYpErYFAYjSoZsuI=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=RGlrXRHHFeOBWA4wq1r4umoZLQo088nLaUT2d4ZwZMhGf2qAE9mT2Oi0qU63jbd3o
         XSuRRDg6bJTDWWPj1WPh8QWw0nRaZblP0OxvwwwQsUa1SoaX0ttlI6pK7cgFLIFFUr
         J00m7LXOZcAyUwmKQGOIRvnpSX6rYOy/CElyn6qmE3RxM14xisAtYWuR4NJwf6SVzI
         ktv4NZYqVcTFwufwU5qp1tVsp/gDZK0yAXIDmQeV/b9t+szXNlVxIbo3/MaoN93SlN
         49xRWHkVl7F3oSqllXIGPGqcWMar8akdbOCzFphHB8PYVIPrFurZO1VeH3cHsCo1Y9
         Mx6PjjtXlTMfA==
Date:   Mon, 11 Dec 2023 09:36:21 -0600
From:   Seth Forshee <sforshee@kernel.org>
To:     Roberto Sassu <roberto.sassu@huaweicloud.com>
Cc:     Christian Brauner <brauner@kernel.org>,
        Amir Goldstein <amir73il@gmail.com>, miklos@szeredi.hu,
        linux-unionfs@vger.kernel.org, linux-kernel@vger.kernel.org,
        zohar@linux.ibm.com, paul@paul-moore.com, stefanb@linux.ibm.com,
        jlayton@kernel.org, linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-fsdevel@vger.kernel.org,
        Roberto Sassu <roberto.sassu@huawei.com>
Subject: Re: [RFC][PATCH] overlayfs: Redirect xattr ops on security.evm to
 security.evm_overlayfs
Message-ID: <ZXcsdf6BzszwZc9h@do-x1extreme>
References: <20231208172308.2876481-1-roberto.sassu@huaweicloud.com>
 <CAOQ4uxivpZ+u0A5kE962XST37-ey2Tv9EtddnZQhk3ohRkcQTw@mail.gmail.com>
 <20231208-tauziehen-zerfetzt-026e7ee800a0@brauner>
 <c95b24f27021052209ec6911d2b7e7b20e410f43.camel@huaweicloud.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <c95b24f27021052209ec6911d2b7e7b20e410f43.camel@huaweicloud.com>
X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Mon, 11 Dec 2023 07:36:42 -0800 (PST)

On Mon, Dec 11, 2023 at 03:56:06PM +0100, Roberto Sassu wrote:
> Ok, I will try.
> 
> I explain first how EVM works in general, and then why EVM does not
> work with overlayfs.
> 
> EVM gets called before there is a set/removexattr operation, and after,
> if that operation is successful. Before the set/removexattr operation
> EVM calculates the HMAC on current inode metadata (i_ino, i_generation,
> i_uid, i_gid, i_mode, POSIX ACLs, protected xattrs). Finally, it
> compares the calculated HMAC with the one in security.evm.
> 
> If the verification and the set/removexattr operation are successful,
> EVM calculates again the HMAC (in the post hooks) based on the updated
> inode metadata, and sets security.evm with the new HMAC.
> 
> The problem is the combination of: overlayfs inodes have different
> metadata than the lower/upper inodes; overlayfs calls the VFS to
> set/remove xattrs.

I don't know all of the inner workings of overlayfs in detail, but is it
not true that whatever metadata an overlayfs mount presents for a given
inode is stored in the lower and/or upper filesystem inodes? If the
metadata for those inodes is verified with EVM, why is it also necessary
to verify the metadata at the overlayfs level? If some overlayfs
metadata is currently omitted from the checks on the lower/upper inodes,
is there any reason EVM couldn't start including that its checksums?
Granted that there could be some backwards compatibility issues, but
maybe inclusion of the overlayfs metadata could be opt-in.

Thanks,
Seth