Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp4632471rdb; Tue, 12 Dec 2023 05:21:18 -0800 (PST) X-Google-Smtp-Source: AGHT+IF6udph/phbK5CDhu+PWtWS8UctMaMODtNFNFpX//Yxyek4hVTCmY5Ib27QbubhUNtHWc6O X-Received: by 2002:a05:6358:91aa:b0:170:ec2e:4373 with SMTP id j42-20020a05635891aa00b00170ec2e4373mr1153346rwa.6.1702387277860; Tue, 12 Dec 2023 05:21:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702387277; cv=none; d=google.com; s=arc-20160816; b=UMt+26EJ8ZdBZpVd/sMx58naAp1y28s+790hDg41RuriRv22Aw2INhtvxMxNPrQUTd 75i9/6pGBMBXMY4KXA0cm5F+bq47GKc+JvFm5T2bI3309kfrs8zp94PaEAJK27cNu4Zn Jgmtc7tOS5c8Eo7q2p1gcAHdDZYmfNOMoE47fxu1+7Sm8tvz1SF2+/NJLVmQmbUYzlja fdL/XlUP0FS26R1sCjLLiLPT7ebwo8apQJZO0lKYeZ7lqIjTlJGUkXv8vMFYKbhuG+Ue qeLRiPVa5tJ/WW1Hspg+Bi1UtBak1+MHMVJgY26rPuFXJabu5InAsl2HbO1SW38FRHQr T9NQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=GLOLiUiTqnN/UunDh9+P2l/RKCu0hqwJyWdUAtn8BXE=; fh=/lmmafkkBv7ooghrSnO6ROU+H8ZJk4zy1Q+S3W6WJeA=; b=Gtd5naEX57roZNcTn9RRpaz6Wybe9/Ox9n8GvEI3tBV7H38p3/C+TwD9trKA/Ea/lk 5il6QIUWt75dfMBH/wXFgJzWzdWRLz7ro9nNjIqRyciT8eqVJJ+ihRvvx0bGwUcOThB6 U85pnGDLDYUICN9OJjJP2yrt5/fhBMOvSUclkKRA+7nK2xf9fQ/0mNzWDhyH3E6xBh7x VC2eQj6HJeaiVzfuh7isHbTFtdBXyE5jUxuXhLL8hsGpws6eMPt4tlo3UxBYZBbB21P4 Uzf1VCRgZGdYOzsSrymRg+fGO67eQPKuZDBqeO5krR+XM+2p1YPjCfZxsJGxRQfUb1CW EnUQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id q9-20020a63f949000000b0059d25cedc79si7731262pgk.767.2023.12.12.05.21.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Dec 2023 05:21:17 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id E2A2D80ADF1D; Tue, 12 Dec 2023 05:21:16 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346418AbjLLNVB (ORCPT + 99 others); Tue, 12 Dec 2023 08:21:01 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47870 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235152AbjLLMlh (ORCPT ); Tue, 12 Dec 2023 07:41:37 -0500 Received: from frasgout12.his.huawei.com (frasgout12.his.huawei.com [14.137.139.154]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 45B9295; Tue, 12 Dec 2023 04:41:43 -0800 (PST) Received: from mail.maildlp.com (unknown [172.18.186.51]) by frasgout12.his.huawei.com (SkyGuard) with ESMTP id 4SqHqB6dJRz9xrpF; Tue, 12 Dec 2023 20:24:22 +0800 (CST) Received: from mail02.huawei.com (unknown [7.182.16.27]) by mail.maildlp.com (Postfix) with ESMTP id 1AF9C1404DB; Tue, 12 Dec 2023 20:41:34 +0800 (CST) Received: from [10.204.63.22] (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwCHN2H0VHhlfMxgAg--.37324S2; Tue, 12 Dec 2023 13:41:33 +0100 (CET) Message-ID: Date: Tue, 12 Dec 2023 13:41:22 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [RFC][PATCH] overlayfs: Redirect xattr ops on security.evm to security.evm_overlayfs Content-Language: en-US To: Amir Goldstein Cc: Christian Brauner , Seth Forshee , miklos@szeredi.hu, linux-unionfs@vger.kernel.org, linux-kernel@vger.kernel.org, zohar@linux.ibm.com, paul@paul-moore.com, stefanb@linux.ibm.com, jlayton@kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, Roberto Sassu References: <20231208172308.2876481-1-roberto.sassu@huaweicloud.com> <20231208-tauziehen-zerfetzt-026e7ee800a0@brauner> From: Roberto Sassu In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-CM-TRANSID: GxC2BwCHN2H0VHhlfMxgAg--.37324S2 X-Coremail-Antispam: 1UD129KBjvJXoWxAF1rJFW5Xw43CryftryxKrg_yoWrAryDpF WYka4UKrs8tr17AwnFya17XFWjy3yrJ3WUXw1Dtr4kZFyDtF1Sgry7Ka4UuF9rWr1xG34j vFWjk347ur9xZ3DanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUkjb4IE77IF4wAFF20E14v26r4j6ryUM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4 vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Jr0_JF4l84ACjcxK6xIIjxv20xvEc7Cj xVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv67AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIEc7CjxV AFwI0_Gr0_Gr1UM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40E x7xfMcIj6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x 0Yz7v_Jr0_Gr1lF7xvr2IY64vIr41lFIxGxcIEc7CjxVA2Y2ka0xkIwI1l42xK82IYc2Ij 64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x 8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q6r43MIIYrxkI7VAKI48JMIIF0xvE 2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r4j6F4UMIIF0xvE42 xK8VAvwI8IcIk0rVWrZr1j6s0DMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIE c7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x07UWE__UUUUU= X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgAJBF1jj5ONawAAsL X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Tue, 12 Dec 2023 05:21:17 -0800 (PST) On 11.12.23 19:31, Amir Goldstein wrote: > On Mon, Dec 11, 2023 at 4:56 PM Roberto Sassu > wrote: >> >> On Fri, 2023-12-08 at 23:01 +0100, Christian Brauner wrote: >>> On Fri, Dec 08, 2023 at 11:55:19PM +0200, Amir Goldstein wrote: >>>> On Fri, Dec 8, 2023 at 7:25 PM Roberto Sassu >>>> wrote: >>>>> >>>>> From: Roberto Sassu >>>>> >>>>> EVM updates the HMAC in security.evm whenever there is a setxattr or >>>>> removexattr operation on one of its protected xattrs (e.g. security.ima). >>>>> >>>>> Unfortunately, since overlayfs redirects those xattrs operations on the >>>>> lower filesystem, the EVM HMAC cannot be calculated reliably, since lower >>>>> inode attributes on which the HMAC is calculated are different from upper >>>>> inode attributes (for example i_generation and s_uuid). >>>>> >>>>> Although maybe it is possible to align such attributes between the lower >>>>> and the upper inode, another idea is to map security.evm to another name >>>>> (security.evm_overlayfs) >>>> >>>> If we were to accept this solution, this will need to be trusted.overlay.evm >>>> to properly support private overlay xattr escaping. >>>> >>>>> during an xattr operation, so that it does not >>>>> collide with security.evm set by the lower filesystem. >>>> >>>> You are using wrong terminology and it is very confusing to me. >>> >>> Same. >> >> Argh, sorry... >> >>>> see the overlay mount command has lowerdir= and upperdir=. >>>> Seems that you are using lower filesystem to refer to the upper fs >>>> and upper filesystem to refer to overlayfs. >>>> >>>>> >>>>> Whenever overlayfs wants to set security.evm, it is actually setting >>>>> security.evm_overlayfs calculated with the upper inode attributes. The >>>>> lower filesystem continues to update security.evm. >>>>> >>>> >>>> I understand why that works, but I am having a hard time swallowing >>>> the solution, mainly because I feel that there are other issues on the >>>> intersection of overlayfs and IMA and I don't feel confident that this >>>> addresses them all. >> >> This solution is specifically for the collisions on HMACs, nothing >> else. Does not interfere/solve any other problem. >> >>>> If you want to try to convince me, please try to write a complete >>>> model of how IMA/EVM works with overlayfs, using the section >>>> "Permission model" in Documentation/filesystems/overlayfs.rst >>>> as a reference. >> >> Ok, I will try. >> >> I explain first how EVM works in general, and then why EVM does not >> work with overlayfs. >> > > I understand both of those things. > > What I don't understand is WHY EVM needs to work on overlayfs? > What is the use case? > What is the threat model? > > The purpose of IMA/EVM as far as I understand it is to detect and > protect against tampering with data/metadata offline. Right? > > As Seth correctly wrote, overlayfs is just the composition of existing > underlying layers. > > Noone can tamper with overlayfs without tampering with the underlying > layers. Makes sense. > The correct solution to your problem, and I have tried to say this many > times, in to completely opt-out of IMA/EVM for overlayfs. > > EVM should not store those versions of HMAC for overlayfs and for > the underlying layers, it should ONLY store a single version for the > underlying layer. If we avoid the checks in IMA and EVM for overlayfs, we need the guarantee that everything passes through overlayfs down, and that there is no external interference to the lower and upper filesystems (the part that is used by overlayfs). Maybe I'm missing something, I looked at this issue only now, and Mimi knows it much better than me. Roberto > Because write() in overlayfs always follows by write() to upper layer > and setxattr() in overlayfs always follows by setxattr() to upper layer > IMO write() and setxattr() on overlayfs should by ignored by IMA/EVM > and only write()/setxattr() on underlying fs should be acted by IMA/EVM > which AFAIK, happens anyway. > > Please let me know if I am missing something, > > Thanks, > Amir.