Received: by 2002:a05:7412:d1aa:b0:fc:a2b0:25d7 with SMTP id ba42csp1680006rdb; Wed, 31 Jan 2024 06:09:42 -0800 (PST) X-Google-Smtp-Source: AGHT+IEycPPyuTpjcW08knpgwDOuyRacg7SUZNIz4NH70famniMN/3enPw+ZQZ2nrLQah58rtwh1 X-Received: by 2002:a50:d71e:0:b0:55f:28f1:92ca with SMTP id t30-20020a50d71e000000b0055f28f192camr1152095edi.21.1706710181816; Wed, 31 Jan 2024 06:09:41 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706710181; cv=pass; d=google.com; s=arc-20160816; b=mbK2CjwscY3ARCCnVuBcphqh/bE52dTf/7N6TQHJ+o+JEGZyRKDLIzwl6TQ7D6SSY/ 5RAHiKPP0zl0TxKElkTdYg04IJVCmS5jNSrZlFslDlIqEP4ZBi/w3an9FcZmkSs8qxtA k6gVVi07ARhu8E5J/AisVnd5fqnX69Y8Bye87q8zBod9fb//2GWiSHhHlwkcgw1v38Ty q6XbnrA+DFch5QV66Bwcqmb8j/SW4lO950BFjLibz4RwWJJT+5QQTzTTOxJNRi/4Gdeq wITqUBuVcPFKYbHYlMi20YCly5/DdIZyi8LKr76kt1JNN1bfg90dV4h4jOFw83quLvPz Hc0A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=+dkh36EExK6t1wawSJGvixoBnmXelA9dYFxogTrOyZY=; fh=G6F4gCVAUVykHmv0LCXkBCYrcL6zR7znGHOmT8aJaTU=; b=fE21rWY/hmOCV8jJRcV7kyrFHFaVMRsluLkDIGy/qNeu4KcXSF6IDnUSK0zhTWlXsQ 3/5Ym+4nrbe7C/cPcVZtlAXyUxPAQJD0d63rKLiK4HsT4TKwFQxfH1Erj6kYdu7OPLYq uHbVTFdQ0khZv7Bc8L2qek3TUqtu8vJmyqETYM9YlrWtfIHWy3f5DyP8KoTwzRa5E7g3 rKLTVwa9ctb3SJfu/gbmIkUVm1fP+9PnqoH50okW6fSxAix742rhRGu8U2748fOmkEWC FSUmDvpQcxCTF2vtDFuvrND/NeYBbqMQyt6vNQOh2jDtFzvZtsr5m4B9PhJIz/G4fGp+ f03A==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="d/Fbq7TT"; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-46564-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-46564-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com X-Forwarded-Encrypted: i=1; AJvYcCUpdCPpugdebnbVNzhUar7qdWj721hp28rHWJ3owpzVd0NU1vIP1FRrkITujIhpolkr9VyqGbPt5LZKFLrf1UPJoOA0YG/fAuFtBQB2OQ== Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id l15-20020aa7cacf000000b0055c971de51dsi5462570edt.384.2024.01.31.06.09.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 31 Jan 2024 06:09:41 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-46564-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="d/Fbq7TT"; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-46564-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-46564-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 2913E1F2EE0F for ; Wed, 31 Jan 2024 14:08:33 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 131768286F; Wed, 31 Jan 2024 14:06:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="d/Fbq7TT" Received: from mail-qv1-f51.google.com (mail-qv1-f51.google.com [209.85.219.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9CD28768F8; Wed, 31 Jan 2024 14:06:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.51 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706709979; cv=none; b=b58d/LQ6FexIkPlfKZJwpRz7ISFz3I2ft7aMDCBgGg8OVeYL8OFCC8dpDvRkVbtKf8NvvWPl3umALkaGcKjcCIppGt9IV0tcd9VDxCAgWn8YR5UcSuHL4nSXc8+93BJ3qEI7YahozRhzWDaYRkTxR4+EaeUj/X7gYsqtGUkXz9w= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706709979; c=relaxed/simple; bh=G0kyAZ0knYajTJWEvMpmTnJbQyeiZVah60Pu6fI4O6M=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=cUeeQiiqRtFY7zJwQi6LXP5PjWNx+5AW1CL3E9y4XP6/ZXP0YwIQfnyDnyvvXs0WGo2MkGaF1SmTcvgHOoyQIoVxOI8Ap35sEcqTvUrZklkYU0qWHQsa3IgZx2Dd6s8t8AEuLnj8xG78NIW9CC+dkzoCcYXYv7HGntfxKFTiSbw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=d/Fbq7TT; arc=none smtp.client-ip=209.85.219.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-qv1-f51.google.com with SMTP id 6a1803df08f44-686a92a8661so35939386d6.0; Wed, 31 Jan 2024 06:06:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1706709976; x=1707314776; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=+dkh36EExK6t1wawSJGvixoBnmXelA9dYFxogTrOyZY=; b=d/Fbq7TTAO8JtB9DsVf14MzVqsqhDpytGzsOUFfecRfmI6ugbl7xxLQTa27Hd1o2/A NIWVZAnx0/Tff3/7Cz71aJTuA7CA94sg7/oxESV7nbqSAamahkLr+tEB5Y40CXyKtTpA 1qvxq22QJqQ//GXkixseBeJ7zQckwUMN1vl2eceNr5+UM55SKkVXLtFSqBmzh9ZApd5b YhSRs3HmDUh6wNVvHVuup2qtdWHJTqUjuQeUbN0AWDSPENFVF8/vL1AyJjm3YxIKUWzR 0RLiW4oTsQTJY3yxaRoenrJNrZl2ezGMwX3kMNe+9JXnksq8gjL7tpxhu6ofL2Gr9hSW Dvzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706709976; x=1707314776; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+dkh36EExK6t1wawSJGvixoBnmXelA9dYFxogTrOyZY=; b=taChAQnWq4rc1EzD0Q8v6HBbhiZPiW7tv/GdaJZFP0zFpKJhVzGLjwsprilyosO530 hPN+PFH+CMVMSzWhWX9M4s3U4LfqX79qZBzuqbMi+aw52y3Gnm8NCD3ilwcr2h57EXSd D+aVmNPVz/aCCQI90HarP4zyYTMcnY9+mf7+p1SxueHtUUltTjAfAKNrtZTbLZ7sB04m 0faoT66z5UJzj8BaUnAKGIogFJ2lQzbEW++fPJq3Erfs5NPcC/ZzuVw0N5oTd2OqRt2F MZ+brOb13NfoSDhbYRRUlLDMkB6ECYwTmJFjmCJspRslbkWVI9DBHgPDdNx+4gLJ1S25 T4Pw== X-Gm-Message-State: AOJu0YxwbxTriJQ3Ht04Me85XwkWHAF4veinCtDWh3XE40iDkHks+Zuz yezvr7kv6LzsdQT4+TVHpKd8/mb0Lupx0ZRJ+HHwQ/5/xlf5PPugg4o2FA2Lmq+Yhg4BnQr5nce EMdsT18cKm2AD67GYJZptrHKJV5Y= X-Received: by 2002:a05:6214:d6c:b0:68c:4f1c:d33b with SMTP id 12-20020a0562140d6c00b0068c4f1cd33bmr2003556qvs.37.1706709976293; Wed, 31 Jan 2024 06:06:16 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240130214620.3155380-1-stefanb@linux.ibm.com> <20240130214620.3155380-6-stefanb@linux.ibm.com> In-Reply-To: <20240130214620.3155380-6-stefanb@linux.ibm.com> From: Amir Goldstein Date: Wed, 31 Jan 2024 16:06:05 +0200 Message-ID: Subject: Re: [PATCH 5/5] evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509 To: Stefan Berger Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-unionfs@vger.kernel.org, linux-kernel@vger.kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, miklos@szeredi.hu, Christian Brauner Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Jan 30, 2024 at 11:46=E2=80=AFPM Stefan Berger wrote: > > Unsupported filesystems currently do not enforce any signatures. Add > support for signature enforcement of the "original" and "portable & > immutable" signatures when EVM_INIT_X509 is enabled. > > The "original" signature type contains filesystem specific metadata. > Thus it cannot be copied up and verified. However with EVM_INIT_X509 > and EVM_ALLOW_METADATA_WRITES enabled, the "original" file signature > may be written. > > When EVM_ALLOW_METADATA_WRITES is not set or once it is removed from > /sys/kernel/security/evm by setting EVM_INIT_HMAC for example, it is not > possible to write or remove xattrs on the overlay filesystem. > > This change still prevents EVM from writing HMAC signatures on > unsupported filesystem when EVM_INIT_HMAC is enabled. > > Signed-off-by: Stefan Berger > --- > security/integrity/evm/evm_main.c | 12 +++++++----- > 1 file changed, 7 insertions(+), 5 deletions(-) > > diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/e= vm_main.c > index e96d127b48a2..f49609dfcbc7 100644 > --- a/security/integrity/evm/evm_main.c > +++ b/security/integrity/evm/evm_main.c > @@ -192,7 +192,11 @@ static enum integrity_status evm_verify_hmac(struct = dentry *dentry, > iint->evm_status =3D=3D INTEGRITY_PASS_IMMUTABLE)) > return iint->evm_status; > > - if (is_unsupported_fs(dentry)) > + /* > + * On unsupported filesystems with EVM_INIT_X509 not enabled, ski= p > + * signature verification. > + */ > + if (!(evm_initialized & EVM_INIT_X509) && is_unsupported_fs(dentr= y)) > return INTEGRITY_UNKNOWN; > Are the names is_unsupported_fs() and SB_I_EVM_UNSUPPORTED still a good description of what overlayfs is after this change? Is EVM really not supported on overlayfs after this change? Would you consider a better descriptive name, for the helper and flag, at least as descriptive as SB_I_IMA_UNVERIFIABLE_SIGNATURE? Thanks, Amir.