Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp4055329rdb; Mon, 11 Dec 2023 07:42:20 -0800 (PST) X-Google-Smtp-Source: AGHT+IFNnuCp2HPQncg7gaMLsRAu2mtfaCg2OMkBY4KaRYiCUS78LO0fWsqgDs31UkQlmlUSUBmR X-Received: by 2002:a17:902:d2d1:b0:1d0:8e08:6a with SMTP id n17-20020a170902d2d100b001d08e08006amr6359170plc.6.1702309339868; Mon, 11 Dec 2023 07:42:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702309339; cv=none; d=google.com; s=arc-20160816; b=B1HtkiIF9u62mW0+SVz0TF8v6JMvzWD0NKdOGXkfUmXBl61X5x+9ZhIiuyg/lm7IFE 1J1eIjFbTHkwSJGvPeSLD4xnL+VnAaD7CoOtAT4q9S+0llbNfU/4sw/K2p9viegZNYHd U1iz/KBe9VJpn4ni0OjNBDiEYqO2NNC9tiw4g+Mlm4kKAMKYmKUjGmYWNGH/xbFxgkLE fj7fDNNGa2PEbp9iFaC3/IdVj0CwmtN5EURzXmzMfsHQfAZ0vg8c39TdgFcUrdDJqMiC FvJYW7aFKhT7aM8kxM9gLi2MxmzAZbhmC2hvjDG1tDj/YUXvTxdVLvxE95Gafy6reWk4 HqTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent :content-transfer-encoding:references:in-reply-to:date:cc:to:from :subject:message-id; bh=LjNU3CDvoxd12pEoWdXfXXjbFWLg1byUcvhyBdikXHQ=; fh=ffnJ9CHXGHKbxhVG62rsIuvnf8MuAhTqHsjXvO/rtz0=; b=vKNKLEN73NwoSVonEPYS7IILjPKZSksmNC6Zudzb0aKKDRh/bKxuO5cPwT52K2Q1R1 XQfuamZiWa4FByQaMAXs2YhSqBdBLKt9OAKfD7w3aOs3n8e7vTW9p7dZ10+GBFnzmWIM ge7NSNp4+3wUPgAQRWDPmlo4oBKaVL+JRgNWQ9qmdSXq9zy5yKlq2uK2UXJ8IXsV2N66 8+sm4Gt88n5b/SbaEapQidjJrFuRJVZyD7mXQkm1OnuupAgkaEZYN09eIIc7DeKVFxqA KtM4+gTDVHiimrompmObAiZxHlPS1hYfrEzAejpiVkGgsO8gpXRZugP3snfEMZXy8yds jMpw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id o18-20020a170902d4d200b001d07c3e89fesi6268059plg.478.2023.12.11.07.42.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Dec 2023 07:42:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id A5FCA808FBDA; Mon, 11 Dec 2023 07:42:17 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344075AbjLKPmD convert rfc822-to-8bit (ORCPT + 99 others); Mon, 11 Dec 2023 10:42:03 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55396 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343898AbjLKPmC (ORCPT ); Mon, 11 Dec 2023 10:42:02 -0500 Received: from frasgout13.his.huawei.com (frasgout13.his.huawei.com [14.137.139.46]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E772CDC; Mon, 11 Dec 2023 07:42:07 -0800 (PST) Received: from mail.maildlp.com (unknown [172.18.186.51]) by frasgout13.his.huawei.com (SkyGuard) with ESMTP id 4Splxf4jp1zB03Fq; Mon, 11 Dec 2023 23:28:06 +0800 (CST) Received: from mail02.huawei.com (unknown [7.182.16.47]) by mail.maildlp.com (Postfix) with ESMTP id B5020140489; Mon, 11 Dec 2023 23:41:59 +0800 (CST) Received: from [127.0.0.1] (unknown [10.204.63.22]) by APP1 (Coremail) with SMTP id LxC2BwDnInO+LXdlFG9ZAg--.22283S2; Mon, 11 Dec 2023 16:41:59 +0100 (CET) Message-ID: <6e05677355d6d134dddd11da56709b424b631079.camel@huaweicloud.com> Subject: Re: [RFC][PATCH] overlayfs: Redirect xattr ops on security.evm to security.evm_overlayfs From: Roberto Sassu To: Seth Forshee Cc: Christian Brauner , Amir Goldstein , miklos@szeredi.hu, linux-unionfs@vger.kernel.org, linux-kernel@vger.kernel.org, zohar@linux.ibm.com, paul@paul-moore.com, stefanb@linux.ibm.com, jlayton@kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, Roberto Sassu Date: Mon, 11 Dec 2023 16:41:46 +0100 In-Reply-To: References: <20231208172308.2876481-1-roberto.sassu@huaweicloud.com> <20231208-tauziehen-zerfetzt-026e7ee800a0@brauner> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8BIT User-Agent: Evolution 3.44.4-0ubuntu2 MIME-Version: 1.0 X-CM-TRANSID: LxC2BwDnInO+LXdlFG9ZAg--.22283S2 X-Coremail-Antispam: 1UD129KBjvJXoW7ZFWfXryxCw1xWw4ktw1fWFg_yoW8Cr4rpr WSva4IqFs8JryxZw4SyrsrX3yF93WxWa15Jr45Krn7A3WDGr1jgFWDJ3W3ZFyIqFyDWa1j qayUKas7ur98Za7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUk0b4IE77IF4wAFF20E14v26r4j6ryUM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4 vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Jr0_JF4l84ACjcxK6xIIjxv20xvEc7Cj xVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv67AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIEc7CjxV AFwI0_Gr0_Gr1UM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40E x7xfMcIj6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x 0Yz7v_Jr0_Gr1lF7xvr2IY64vIr41lFIxGxcIEc7CjxVA2Y2ka0xkIwI1l42xK82IYc2Ij 64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x 8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q6r43MIIYrxkI7VAKI48JMIIF0xvE 2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r4j6F4UMIIF0xvE42 xK8VAvwI8IcIk0rVWrJr0_WFyUJwCI42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv 6xkF7I0E14v26r4j6r4UJbIYCTnIWIevJa73UjIFyTuYvjxUrR6zUUUUU X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAQAIBF1jj5d2AAAAsd X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Mon, 11 Dec 2023 07:42:17 -0800 (PST) On Mon, 2023-12-11 at 09:36 -0600, Seth Forshee wrote: > On Mon, Dec 11, 2023 at 03:56:06PM +0100, Roberto Sassu wrote: > > Ok, I will try. > > > > I explain first how EVM works in general, and then why EVM does not > > work with overlayfs. > > > > EVM gets called before there is a set/removexattr operation, and after, > > if that operation is successful. Before the set/removexattr operation > > EVM calculates the HMAC on current inode metadata (i_ino, i_generation, > > i_uid, i_gid, i_mode, POSIX ACLs, protected xattrs). Finally, it > > compares the calculated HMAC with the one in security.evm. > > > > If the verification and the set/removexattr operation are successful, > > EVM calculates again the HMAC (in the post hooks) based on the updated > > inode metadata, and sets security.evm with the new HMAC. > > > > The problem is the combination of: overlayfs inodes have different > > metadata than the lower/upper inodes; overlayfs calls the VFS to > > set/remove xattrs. > > I don't know all of the inner workings of overlayfs in detail, but is it > not true that whatever metadata an overlayfs mount presents for a given > inode is stored in the lower and/or upper filesystem inodes? If the > metadata for those inodes is verified with EVM, why is it also necessary > to verify the metadata at the overlayfs level? If some overlayfs > metadata is currently omitted from the checks on the lower/upper inodes, > is there any reason EVM couldn't start including that its checksums? Currently, the metadata where there is a misalignment are: i_generation, s_uuid, (i_ino?). Maybe there is more? If metadata are aligned, there is no need to store two separate HMACs. Thanks Roberto > Granted that there could be some backwards compatibility issues, but > maybe inclusion of the overlayfs metadata could be opt-in. > > Thanks, > Seth