Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp4117127rdb; Mon, 11 Dec 2023 09:15:57 -0800 (PST) X-Google-Smtp-Source: AGHT+IHHbCi4ixDNSMe7PA7gIDBZvjE7wLPLwoAsapZqecjkXJgG+wWQVmHZ4+jXH85Nckcl9HSS X-Received: by 2002:a17:902:e88b:b0:1d0:7535:8bc2 with SMTP id w11-20020a170902e88b00b001d075358bc2mr5554889plg.105.1702314956816; Mon, 11 Dec 2023 09:15:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702314956; cv=none; d=google.com; s=arc-20160816; b=VbjmTW+hCSOFtaaOEhxgwxGcGv07r7fNAKBuuAWhwTJYRjSCt57KeYn/SfZw/b2laR +36Dvv92bGkb+Dqu++mSeCnusoGH6RrncYFTsw6FPTVMGQJ9x+9CAsYpBm69RNJhcSDP jLSTc2GLN4W5O4aWhacYZvwJFkVwLtFyG6emjItOR+EVG5+h9lMeyxkKsY6QAECmk2cq N9Y8ewFvgs5J/D6rwddEKwewvEfKU16No8gV1H19wAEGm/zh/3H2Pi2TreffQnXQQ4W7 LRzNlSdNN9EmgzJgk2PiUPx5NsvZ9M8L6bEJzKMTaGp1Rnu59f3UilCenfcDg4dzY1Q1 2apQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=H/OUOW0f3JJwtD2FtzxD1DGLq5gPDtmIL2PlU/VaRRU=; fh=JKcPRvZPFBOOQ0C7v83zUYql8w6ebVnFbGwq0JS3ivE=; b=bD5wCF8krBKPpZpjsPHpzzy5eyteGpulXHQG6p3gqXrhSlayL8H63aMrechi6WXXuf s3J6fD1j9+cEubFpPHShYZuo38/k1kf+1Gz8Zu7dMiLJOnRBFUr6LFtGl/vW0lOcXDRV t39QErZQ7OJf3PCn7RLcGSPpZPGLecfpoYF/rt9ghXQ0S+i8th4H+Gc1J4374y3Vj64V 6JrTbgFE0ov8wffdwPB4LqKe94X3jxt+glkcuh9P8YDtLlzbIBWaeyLE+Pdy6BsMYQls VHThjDogmb2UgKcKZZJL2Duvql7Ue+RMiC/sRc0TUkokuC1TkVjEyC5jVHcdNQD+OT1i gSBQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=FILBYqHU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from fry.vger.email (fry.vger.email. [23.128.96.38]) by mx.google.com with ESMTPS id jc12-20020a17090325cc00b001d04db0a359si6273957plb.199.2023.12.11.09.15.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Dec 2023 09:15:56 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=FILBYqHU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id 0D0668087B6B; Mon, 11 Dec 2023 09:15:53 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344502AbjLKRPj (ORCPT + 99 others); Mon, 11 Dec 2023 12:15:39 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34110 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344301AbjLKRPi (ORCPT ); Mon, 11 Dec 2023 12:15:38 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 699279B for ; Mon, 11 Dec 2023 09:15:44 -0800 (PST) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8C42AC433C8; Mon, 11 Dec 2023 17:15:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1702314943; bh=cOadndWNrJ59Ef3Nb9Yx1iYcwUhRgTCTQRPzgwoU4Rc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=FILBYqHUPcbUyd5MWCTu3mNk5EOs8PJ4rWZFg9GLN0kT6ocPIWsAtBIc8ph7HLp+e 4WqN/oiKzN2vUkqnG6fGp2h1pxUuYbEkyrOYSJH1+Nsbp+r3mm3k7aYpivk7JPKKeS wbHJRIWhLntVfkEoGT3bjtNKCoLHZ8E+c/gyN15Wkrj7dad+eFA1iZaSPDPu+hPVMQ b1nUWtfn7X8Z99blOTIAOyrPjtDz20Jp3CNfsKlIvvoQnF8X+QGwsLWMyx1gGzTBxM 7sJjeq6UnqyjLaI4yt57m1HzB8oSNs2j0KFKpPJxRUB8x7h+/H/KG8CVvh6dwK8o4k Q5NljSbajP44Q== Date: Mon, 11 Dec 2023 11:15:42 -0600 From: Seth Forshee To: Roberto Sassu Cc: Christian Brauner , Amir Goldstein , miklos@szeredi.hu, linux-unionfs@vger.kernel.org, linux-kernel@vger.kernel.org, zohar@linux.ibm.com, paul@paul-moore.com, stefanb@linux.ibm.com, jlayton@kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, Roberto Sassu Subject: Re: [RFC][PATCH] overlayfs: Redirect xattr ops on security.evm to security.evm_overlayfs Message-ID: References: <20231208172308.2876481-1-roberto.sassu@huaweicloud.com> <20231208-tauziehen-zerfetzt-026e7ee800a0@brauner> <6e05677355d6d134dddd11da56709b424b631079.camel@huaweicloud.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6e05677355d6d134dddd11da56709b424b631079.camel@huaweicloud.com> X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Mon, 11 Dec 2023 09:15:54 -0800 (PST) On Mon, Dec 11, 2023 at 04:41:46PM +0100, Roberto Sassu wrote: > On Mon, 2023-12-11 at 09:36 -0600, Seth Forshee wrote: > > On Mon, Dec 11, 2023 at 03:56:06PM +0100, Roberto Sassu wrote: > > > Ok, I will try. > > > > > > I explain first how EVM works in general, and then why EVM does not > > > work with overlayfs. > > > > > > EVM gets called before there is a set/removexattr operation, and after, > > > if that operation is successful. Before the set/removexattr operation > > > EVM calculates the HMAC on current inode metadata (i_ino, i_generation, > > > i_uid, i_gid, i_mode, POSIX ACLs, protected xattrs). Finally, it > > > compares the calculated HMAC with the one in security.evm. > > > > > > If the verification and the set/removexattr operation are successful, > > > EVM calculates again the HMAC (in the post hooks) based on the updated > > > inode metadata, and sets security.evm with the new HMAC. > > > > > > The problem is the combination of: overlayfs inodes have different > > > metadata than the lower/upper inodes; overlayfs calls the VFS to > > > set/remove xattrs. > > > > I don't know all of the inner workings of overlayfs in detail, but is it > > not true that whatever metadata an overlayfs mount presents for a given > > inode is stored in the lower and/or upper filesystem inodes? If the > > metadata for those inodes is verified with EVM, why is it also necessary > > to verify the metadata at the overlayfs level? If some overlayfs > > metadata is currently omitted from the checks on the lower/upper inodes, > > is there any reason EVM couldn't start including that its checksums? > > Currently, the metadata where there is a misalignment are: > i_generation, s_uuid, (i_ino?). Maybe there is more? > > If metadata are aligned, there is no need to store two separate HMACs. I can only think of three possible sources for the metadata overlayfs presents: 1. It comes directly from the underlying filesystems 2. overlayfs synthesizes if from the underlying filesystem data 3. It's purely generated at runtime Are there others? 1 and 2 should be covered by EVM on the underlying filesystems. If 3 is happening then it seems like hashing that data is just confirming that overlayfs consistently generates the same values for that data, and verifying code behavior doesn't seem in-scope for EVM.