Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp4143827rdb; Mon, 11 Dec 2023 10:01:35 -0800 (PST) X-Google-Smtp-Source: AGHT+IFczyyOGTRcuxKVGiTAHf7TmXChVRbo2wjrPEVlZnibsjz/R8Kncq6Zu5QbsfEy5FrzYNaa X-Received: by 2002:a05:6a00:4601:b0:6cd:f91e:dfe4 with SMTP id ko1-20020a056a00460100b006cdf91edfe4mr4812481pfb.2.1702317695008; Mon, 11 Dec 2023 10:01:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702317694; cv=none; d=google.com; s=arc-20160816; b=mvbRQCGkeaSNK/aG50R4zK1pfXzyJUEr5twDdOwlzFZd1Ro3fQUhQcE8vyBSy+UNmx X6p2zCY04JIbINx96IxZBFFbPTjLsj6+hwDLtOGYGmkHBImPxa739zrjlW9PQjKyvTxo /DIzC0qFMzNKmr97clmX5l7i79GCCXP4/hFFddkAdFe8kqNrMcxf4L1TWJwzMpg44Kei VqCJcJuUNdhae6O2QC+PnGlmAed1PfX5cJCA473e6/lf20JOEPP3XEHfzxylVLVzpero TXnfYPWgpRQmxJg1+5F2nKGyCixsakGk4b8skBssEp0zVWhTxKpKTIDpVca27+/cepYY 4aSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=/aJFFFept3zGlz0exoMmk4HuZpglY2YkGxMaB6CtcNM=; fh=ESgzTA9ti5i+4Xm/5LskeThyB7XE9m89eXC90D21S+A=; b=jPSgtF7jF6F1cvRgZNVjOuv+ViWJ+WbZ6cFcnsB+0m9RdGX/P0J+eHCm2LLHBiVr4G LBRFoPb7GV5vQbIjKShtjBm/U//9RKtc/K9lsEC/xTNYDK0Le4ljcZpjO4w1u1FQb4du Crv/I708OpGJAV0ikvRxGqFhwos+nF/06IxfUl4/vbvh+yhvX93CUdDFtrEfUJVA8wYy 50EeFhMupBzZpSQo93rTLExPIEAXSpc2mXows1mkNb+Y4BFgzSU98MKsmghbjs25ShWs XSJ2l6b8oAjF9NYvhyzRaCRi8BgD153mGOwkJqAH2tinhln4AN+6KEYsaIH/piY3uDTO TmeA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=ewKcaYCz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id b13-20020a630c0d000000b005bda77217eesi6413595pgl.209.2023.12.11.10.01.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Dec 2023 10:01:34 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=ewKcaYCz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id DD24280990D0; Mon, 11 Dec 2023 10:01:29 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345117AbjLKSBO (ORCPT + 99 others); Mon, 11 Dec 2023 13:01:14 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53950 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345034AbjLKSBM (ORCPT ); Mon, 11 Dec 2023 13:01:12 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1EB0C9D for ; Mon, 11 Dec 2023 10:01:19 -0800 (PST) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4CCCEC433C7; Mon, 11 Dec 2023 18:01:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1702317678; bh=YJWISt590/g0otblmkssjtUeSQnjpGCXYjZSjuDzcf8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=ewKcaYCzaPwT9dVHWHwwInwt5Sej4niDOrEwZv6S36t142PbL4/VOJpVE+ojMsGC0 qork2wL3Mv6DeeO9RmzPXQdcBxjOf1150pRqFqB2zCQbWB6h2hXTIxG9zC9gTLZbqj H8hyw7zdZ8QcPEeG2aoZaPYWwzkbwwINoPB+SJuJHBbNXs7QohPpcp3X/9HB4R1NxS epRO96d6Y1ja1aq6HuWdeHBrFU1fTXl21VbDG3jywLiRbc9EYtQiITIPVIBZOOA8bZ Pb/E52Z6bBCbaP2L/GYXiAve1A82LlgYQj1fbiW7qmE3cT1AWXydoqS37ORc6E25jj UKvO45i8ZaXcg== Date: Mon, 11 Dec 2023 19:01:12 +0100 From: Christian Brauner To: Roberto Sassu Cc: Amir Goldstein , Seth Forshee , miklos@szeredi.hu, linux-unionfs@vger.kernel.org, linux-kernel@vger.kernel.org, zohar@linux.ibm.com, paul@paul-moore.com, stefanb@linux.ibm.com, jlayton@kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, Roberto Sassu Subject: Re: [RFC][PATCH] overlayfs: Redirect xattr ops on security.evm to security.evm_overlayfs Message-ID: <20231211-fortziehen-basen-b8c0639044b8@brauner> References: <20231208172308.2876481-1-roberto.sassu@huaweicloud.com> <20231208-tauziehen-zerfetzt-026e7ee800a0@brauner> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Mon, 11 Dec 2023 10:01:30 -0800 (PST) > The second problem is that one security.evm is not enough. We need two, > to store the two different HMACs. And we need both at the same time, > since when overlayfs is mounted the lower/upper directories can be > still accessible. "Changes to the underlying filesystems while part of a mounted overlay filesystem are not allowed. If the underlying filesystem is changed, the behavior of the overlay is undefined, though it will not result in a crash or deadlock." https://docs.kernel.org/filesystems/overlayfs.html#changes-to-underlying-filesystems So I don't know why this would be a problem. > In the example I described, IMA tries to update security.ima, but this > causes EVM to attempt updating security.evm twice (once after the upper > filesystem performed the setxattr requested by overlayfs, another after > overlayfs performed the setxattr requested by IMA; the latter fails So I think phrasing it this way is confusiong. All that overlayfs does is to forward that setxattr request to the upper layer. So really the overlayfs layer here is irrelevant? > since EVM does not allow the VFS to directly update the HMAC). Callchains and details, please. I don't understand what you mean. > > Remapping security.evm to security.evm_overlayfs (now > trusted.overlay.evm) allows us to store both HMACs separately and to > know which one to use. > > I just realized that the new xattr name should be public, because EVM > rejects HMAC updates, so we should reject HMAC updates based on the new > xattr name too. I won't support any of this going in unless there's a comprehensive description of where this is all supposed to go and there's a comprehensive and coherent story of what EVM and IMA want to achieve for overlayfs or stacking filesystems in general. The past months we've seen a bunch of ductape to taper over this pretty basic question and there's no end in sight apparently. Really, we need a comprehensive solution for both IMA and EVM it seems. And before that is solved we'll not be merging anything of this sort and won't make any impactful uapi changes such as exposing a new security.* xattr.