Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp4163183rdb; Mon, 11 Dec 2023 10:32:01 -0800 (PST) X-Google-Smtp-Source: AGHT+IGtvkA35ATzYbeOUqVfB6xYHpgqBhMkJACNMmKtt9baKbm/22IYCYdJrAui8hxq4Ubg1MnX X-Received: by 2002:a17:90a:df82:b0:28a:3457:d7f8 with SMTP id p2-20020a17090adf8200b0028a3457d7f8mr2000067pjv.14.1702319520819; Mon, 11 Dec 2023 10:32:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702319520; cv=none; d=google.com; s=arc-20160816; b=aeK9ztAAZfGrY6EhGm34qwiD0Kfhl8mUosUz5padPFL9xYJtqOLGT+ZtqnD23erML8 CmVO0PxrYqbMlYrBuKIGvpbhIV2T0y2XF/H7KJEj+iSfavYjni4CthNJEG4C/rGYIblT D0ybM71TmjDMwDcPAgp2KEFwM2smTZXudy8ec3AxzCA6wkaUEc4b7vpgyeYwuo97kIxS K3p4VnT4GW5xJagyGKeDGrd+utIeMCjpH4DJIVcILj1zIh3OQ8GySGGwJ8unYahzoz6U iuhnYpvydF1waVadblZnH5rj1FCEf9eZ8wBAR3tPG3D9CDSG0/lFdz9X5VaVFUNJqoPD mroA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=fTW8PXqixb5wSH5WvPY2gNC1fyQ7CohqHF+38plcVqE=; fh=yXrP7w8GcpC/HnG8V9iOs79Oe+0qKyBGFbAmEkmuSgs=; b=gcJgITAozS/zGCzWFsMLFqfqUtcN5mm4ScmoE/5FANURUOZIFPzYJAT0gn44nd/ije D13WtxSnFhCO452MJtX6yC23C8NAmZioRWjcRskn3X3mgXRGI57TPmSZt+DBtFFkmw3U e7xqL6fgQC7dNI+rZ+WyeejtaT7O1QBwThs0TveMd/TAnJPkYE3zR1tGFihzGl5tXd09 n70bhV8BPeQr5OCeaotKIQrwCKvMdpshJMnOI8gfiwa6FmKlG85+hL4O/nCsvrseRPeh EoVtCx/vQw7e/yjJTFhwYsE9wp9GuWZJtfIvBMFQZsBj27zdUGjX/CoeysabjO3ehuUO 9sdw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Tpkr1hxc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id h4-20020a170902f54400b001d044fd25easi6543954plf.391.2023.12.11.10.31.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Dec 2023 10:32:00 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Tpkr1hxc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 5CA6C80990FA; Mon, 11 Dec 2023 10:31:56 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345195AbjLKSbk (ORCPT + 99 others); Mon, 11 Dec 2023 13:31:40 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33846 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344963AbjLKSbj (ORCPT ); Mon, 11 Dec 2023 13:31:39 -0500 Received: from mail-qv1-xf2a.google.com (mail-qv1-xf2a.google.com [IPv6:2607:f8b0:4864:20::f2a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8865DAC; Mon, 11 Dec 2023 10:31:45 -0800 (PST) Received: by mail-qv1-xf2a.google.com with SMTP id 6a1803df08f44-67a89dc1ef1so31219316d6.3; Mon, 11 Dec 2023 10:31:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702319504; x=1702924304; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=fTW8PXqixb5wSH5WvPY2gNC1fyQ7CohqHF+38plcVqE=; b=Tpkr1hxcOOXTCrewysaLPE4YOBt4UeOLlr71vma+brDelC4ls5AkIPV/E6A9X4qcsu DvpzmPoTv31nYsdygOhooQGUNZLDmnnHhc37b3RRpRBVyHBeoW18NaLP95hpXeXGb4tO gI5CSzdmXMsvNuXUK5wbmeZkAUyBa7/eIdfUcvtMF82xqIIkgzvCF7TMZfB8CUAonsxl t5uc1OML0QrZcVQTtA5+sgIbE3zbyoBTHg+jA6ng6oJ5MPFpR9MKC1Ex77MsRckZgTDR 8eVQ3ybP39VWXGOH/s0JE9XGYHc+wdEH2MfFWT994YGITqkBccd5eCM6GReAaqXCAwu6 RuCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702319504; x=1702924304; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=fTW8PXqixb5wSH5WvPY2gNC1fyQ7CohqHF+38plcVqE=; b=tcvJQgLEZKeZHjX2Y8jlnvl5uIakKTooncjBZFOKn30TjM2r5Bg2R9cLstHjb5zI1n lEQDOmgjZbuq4lgF+SAyC88zoSaONDK+bElbGEP/n7RaE4SYQh4hfMwuFRMVYLceyE4G o5rIywfGxgBEJNHXoT2w1YWEfm5F7C4mwJ279TJH+042EQl3WiClQHadFRwwH2PbHq4Q A5EXn9JnphO4q8wNR8J0y/IbPpblDNyC46PAPBSzoHdeYU5Mu6vdctIoF1ngiSz1qn0f PnDbu8hQa/i9k0TOBgYORZw3x/He8z1Mc/n4g9uUu2gYUmis+V8Sk6bCAFjJCxxI+1p4 qwHA== X-Gm-Message-State: AOJu0Yx6DkaxbvOwPF9gxdMf1CcYOSE072hUNjWmsCq3X/WByaZbSux6 FcNa+A6YJ4T59mdZQrkKkabdneMB4okCsuQbA9I= X-Received: by 2002:a05:6214:154c:b0:67a:dc5a:4fb8 with SMTP id t12-20020a056214154c00b0067adc5a4fb8mr6393575qvw.17.1702319504602; Mon, 11 Dec 2023 10:31:44 -0800 (PST) MIME-Version: 1.0 References: <20231208172308.2876481-1-roberto.sassu@huaweicloud.com> <20231208-tauziehen-zerfetzt-026e7ee800a0@brauner> In-Reply-To: From: Amir Goldstein Date: Mon, 11 Dec 2023 20:31:33 +0200 Message-ID: Subject: Re: [RFC][PATCH] overlayfs: Redirect xattr ops on security.evm to security.evm_overlayfs To: Roberto Sassu Cc: Christian Brauner , Seth Forshee , miklos@szeredi.hu, linux-unionfs@vger.kernel.org, linux-kernel@vger.kernel.org, zohar@linux.ibm.com, paul@paul-moore.com, stefanb@linux.ibm.com, jlayton@kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, Roberto Sassu Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Mon, 11 Dec 2023 10:31:56 -0800 (PST) On Mon, Dec 11, 2023 at 4:56=E2=80=AFPM Roberto Sassu wrote: > > On Fri, 2023-12-08 at 23:01 +0100, Christian Brauner wrote: > > On Fri, Dec 08, 2023 at 11:55:19PM +0200, Amir Goldstein wrote: > > > On Fri, Dec 8, 2023 at 7:25=E2=80=AFPM Roberto Sassu > > > wrote: > > > > > > > > From: Roberto Sassu > > > > > > > > EVM updates the HMAC in security.evm whenever there is a setxattr o= r > > > > removexattr operation on one of its protected xattrs (e.g. security= .ima). > > > > > > > > Unfortunately, since overlayfs redirects those xattrs operations on= the > > > > lower filesystem, the EVM HMAC cannot be calculated reliably, since= lower > > > > inode attributes on which the HMAC is calculated are different from= upper > > > > inode attributes (for example i_generation and s_uuid). > > > > > > > > Although maybe it is possible to align such attributes between the = lower > > > > and the upper inode, another idea is to map security.evm to another= name > > > > (security.evm_overlayfs) > > > > > > If we were to accept this solution, this will need to be trusted.over= lay.evm > > > to properly support private overlay xattr escaping. > > > > > > > during an xattr operation, so that it does not > > > > collide with security.evm set by the lower filesystem. > > > > > > You are using wrong terminology and it is very confusing to me. > > > > Same. > > Argh, sorry... > > > > see the overlay mount command has lowerdir=3D and upperdir=3D. > > > Seems that you are using lower filesystem to refer to the upper fs > > > and upper filesystem to refer to overlayfs. > > > > > > > > > > > Whenever overlayfs wants to set security.evm, it is actually settin= g > > > > security.evm_overlayfs calculated with the upper inode attributes. = The > > > > lower filesystem continues to update security.evm. > > > > > > > > > > I understand why that works, but I am having a hard time swallowing > > > the solution, mainly because I feel that there are other issues on th= e > > > intersection of overlayfs and IMA and I don't feel confident that thi= s > > > addresses them all. > > This solution is specifically for the collisions on HMACs, nothing > else. Does not interfere/solve any other problem. > > > > If you want to try to convince me, please try to write a complete > > > model of how IMA/EVM works with overlayfs, using the section > > > "Permission model" in Documentation/filesystems/overlayfs.rst > > > as a reference. > > Ok, I will try. > > I explain first how EVM works in general, and then why EVM does not > work with overlayfs. > I understand both of those things. What I don't understand is WHY EVM needs to work on overlayfs? What is the use case? What is the threat model? The purpose of IMA/EVM as far as I understand it is to detect and protect against tampering with data/metadata offline. Right? As Seth correctly wrote, overlayfs is just the composition of existing underlying layers. Noone can tamper with overlayfs without tampering with the underlying layers. The correct solution to your problem, and I have tried to say this many times, in to completely opt-out of IMA/EVM for overlayfs. EVM should not store those versions of HMAC for overlayfs and for the underlying layers, it should ONLY store a single version for the underlying layer. Because write() in overlayfs always follows by write() to upper layer and setxattr() in overlayfs always follows by setxattr() to upper layer IMO write() and setxattr() on overlayfs should by ignored by IMA/EVM and only write()/setxattr() on underlying fs should be acted by IMA/EVM which AFAIK, happens anyway. Please let me know if I am missing something, Thanks, Amir.