Received: by 2002:a89:2c3:0:b0:1ed:23cc:44d1 with SMTP id d3csp808294lqs; Tue, 5 Mar 2024 18:24:03 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCWMKajJf8IoCSaAnYgqQ4RRJeNjSFdasohQkdJ47kFjB2JZJWEaWMagGvkew/JhcYjdQ6z/Sz4crLM9ewsqGilMcKJk0AeJjcE2V1NM2A== X-Google-Smtp-Source: AGHT+IEVVt/x188BNFpCk6vjQphnAUZ1HvfjgntI/clOwNcF50Fy2NmxipC8MeIKcDfxOraOxrE+ X-Received: by 2002:a05:6a00:1492:b0:6e6:2df4:198b with SMTP id v18-20020a056a00149200b006e62df4198bmr6921091pfu.4.1709691843117; Tue, 05 Mar 2024 18:24:03 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709691843; cv=pass; d=google.com; s=arc-20160816; b=HCNzDvRMz1eXWz3xHQQckYgfDeQgalyejrqArmQCfniMIXObDb3a6vLavFAQmN45Rd Nin749tRemL5U0B7F+EyOUU+11Snjunrmhm1Ts9SNRHCc67tZeywXuq/o6N1nqabXKct kYyNlx7a/NctBET+X1mAmGNkXGWaCiUosRDQealZcamvENxwOdcDkgoE0BThphsJX1VM 142MDKf/u97sBRRDvKkDda/qb+qH2Eu9W2kC7QK0D+p91Vsit5yeuC0Xvhyzr6JJ3mnz uN+sFIH6XAdJvRFw/m2pbl3q6X9q8Pl4z89P1cSNM4VJYu98hPlgs6uolXXbl56kQvu6 GOFw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence :content-transfer-encoding:references:in-reply-to:date:cc:to:from :subject:message-id:dkim-signature; bh=obieB/aGXWUQxrjkUCIoo5ZBlMGaQ2KaeavDHRbRQLI=; fh=JuCV4F9jt0cwYkbp4k7ZvXLIbKpT3B9ffuwmbi5BCv4=; b=LXL+NZTeeHgozDHIai9+tf+Y3QMSakVzVaT9WkKujZZFK6z51bKQ2D++MZYfvCFsDY kcmwq1IzOfYwT0TgL2iGDr0NYHK7PUhY5RjomHnb5p16LbZtSSiVd+UdT31XXQTnsTDc 2r/sJASUVzQUUv/cXYHIpCEsICyiwJeGS4bV8ybwXK62PIYeCrcXpNm27BLeYWnXBDPi Nvae3Cd7i/0VVLHn4HJN3q88MmjfEw4Z7GdeacGOCdF1lRLSuNFnwnvjg2xy5yQpLphm 5C0bmD9XLlvhWVN+uYguaMv+Dm5JOYJee/Nrr05PX+4XJe0Rhvinpvg1NxdgvwJMV0mG 9Esg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=nxQYEVlH; arc=pass (i=1 spf=pass spfdomain=linux.ibm.com dkim=pass dkdomain=ibm.com dmarc=pass fromdomain=linux.ibm.com); spf=pass (google.com: domain of linux-kernel+bounces-93240-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-93240-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id f22-20020a631f16000000b005dc8762dce5si10998447pgf.51.2024.03.05.18.24.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Mar 2024 18:24:03 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-93240-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=nxQYEVlH; arc=pass (i=1 spf=pass spfdomain=linux.ibm.com dkim=pass dkdomain=ibm.com dmarc=pass fromdomain=linux.ibm.com); spf=pass (google.com: domain of linux-kernel+bounces-93240-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-93240-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 2541C2863A0 for ; Wed, 6 Mar 2024 02:22:46 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4E8FEDF49; Wed, 6 Mar 2024 02:22:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="nxQYEVlH" Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E91206117; Wed, 6 Mar 2024 02:22:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=148.163.156.1 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709691751; cv=none; b=uNKh8eCFw23D6KNRlGMjlt7NrcOgg4QR/No4pS2MJcnjQcsYxM3vVnPVIHU9el3JP2W6X0wiOCcFPQSgxhQqRVrAL8i8/8RUNoRhoBXrzauJyZqJeu0xUSW2ic3cgC6jBFSwxuiz4919Wn+fT1d77ePRgwuOn7R7RCrRF1h+fyU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709691751; c=relaxed/simple; bh=BY5cAWwdUufd1lZC7KL4e1CLMCvpDyaykzCDEmw3piE=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References: Content-Type:MIME-Version; b=QWyeH9TLe17tA/S0HWn0Qmp/Yr9TsmrSUx5Mb198d/2OdTwZ/3efK//uadLW2U8HMSRJw+THjaqpZUN+F2fxVnkKO5nVFickSx2QlPJOW65bhGJWFCjdrT8k+10nvIePZc8XVnVd9tU7Rq618g14ZMvkZJPRsp90BYT+4AdXufI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com; spf=pass smtp.mailfrom=linux.ibm.com; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b=nxQYEVlH; arc=none smtp.client-ip=148.163.156.1 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.ibm.com Received: from pps.filterd (m0353726.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 4261v3aj030129; Wed, 6 Mar 2024 02:21:46 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : subject : from : to : cc : date : in-reply-to : references : content-type : content-transfer-encoding : mime-version; s=pp1; bh=obieB/aGXWUQxrjkUCIoo5ZBlMGaQ2KaeavDHRbRQLI=; b=nxQYEVlHsY8TY9DZ7RvKpc9ICN6yUD3ks/4AjtAMmEQtTmgl7BmRMd2keEOziSpMnbe8 RM07du1XSbu2YrzoqJnB9dd62sqqwf3d6ttYyyAzcdFQ8Witk711uc/gtgp2qTVKtfsq T7j2xnOwKyPniGxCjrik350kSQzK4tHZGQ21i2GRWO79Ezim++Flmr+Kr4r9P8BZa+KL OVhCReVGdzPFiArK1tvXfR5zUmgY3KApxixvBSSCTOPdTR0eKhzWUt4M04KdG58X76CS TFpcBlpJ37N2behrtvT636E58DI8fivLcL2YPxtKZYwAJYSEo8+yRwgUNOoiA92l4L0K fQ== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3wpf9b0cej-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 06 Mar 2024 02:21:46 +0000 Received: from m0353726.ppops.net (m0353726.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 42625tFc019455; Wed, 6 Mar 2024 02:21:45 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3wpf9b0ccx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 06 Mar 2024 02:21:45 +0000 Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 4261c6Pt020608; Wed, 6 Mar 2024 02:17:39 GMT Received: from smtprelay07.dal12v.mail.ibm.com ([172.16.1.9]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 3wmfxkukta-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 06 Mar 2024 02:17:39 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 4262HaMD43909640 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 6 Mar 2024 02:17:38 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5456558056; Wed, 6 Mar 2024 02:17:36 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D3B705804E; Wed, 6 Mar 2024 02:17:33 +0000 (GMT) Received: from li-5cd3c5cc-21f9-11b2-a85c-a4381f30c2f3.ibm.com (unknown [9.61.10.162]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Wed, 6 Mar 2024 02:17:33 +0000 (GMT) Message-ID: <10773e5b90ec9378cbc69fa9cfeb61a84273edc2.camel@linux.ibm.com> Subject: Re: [PATCH v2 24/25] commoncap: use vfs fscaps interfaces From: Mimi Zohar To: Roberto Sassu , Christian Brauner , "Seth Forshee (DigitalOcean)" Cc: Serge Hallyn , Paul Moore , Eric Paris , James Morris , Alexander Viro , Jan Kara , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , "Matthew Wilcox (Oracle)" , Jonathan Corbet , Miklos Szeredi , Amir Goldstein , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org Date: Tue, 05 Mar 2024 21:17:33 -0500 In-Reply-To: <7058e2f93d16f910336a5380877b14a2e069ee9d.camel@huaweicloud.com> References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org> <20240221-idmap-fscap-refactor-v2-24-3039364623bd@kernel.org> <20240305-fachjargon-abmontieren-75b1d6c67a83@brauner> <3098aef3e5f924e5717b4ba4a34817d9f22ec479.camel@huaweicloud.com> <7058e2f93d16f910336a5380877b14a2e069ee9d.camel@huaweicloud.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.5 (3.28.5-22.el8) X-TM-AS-GCONF: 00 X-Proofpoint-GUID: 5d2LP9goU7jdJnNYQKugPWTEZlmFuvLX X-Proofpoint-ORIG-GUID: 9zv_pGh2oYkeWF_4Thb1moVWjaRCV6Bo Content-Transfer-Encoding: 7bit X-Proofpoint-UnRewURL: 0 URL was un-rewritten Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-05_20,2024-03-05_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 mlxscore=0 adultscore=0 malwarescore=0 suspectscore=0 impostorscore=0 clxscore=1011 mlxlogscore=999 spamscore=0 lowpriorityscore=0 phishscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2311290000 definitions=main-2403060018 On Tue, 2024-03-05 at 18:11 +0100, Roberto Sassu wrote: > On Tue, 2024-03-05 at 13:46 +0100, Roberto Sassu wrote: > > On Tue, 2024-03-05 at 10:12 +0100, Christian Brauner wrote: > > > On Mon, Mar 04, 2024 at 10:56:17AM -0600, Seth Forshee (DigitalOcean) > > > wrote: > > > > On Mon, Mar 04, 2024 at 05:17:57PM +0100, Roberto Sassu wrote: > > > > > On Mon, 2024-03-04 at 09:31 -0600, Seth Forshee (DigitalOcean) wrote: > > > > > > On Mon, Mar 04, 2024 at 11:19:54AM +0100, Roberto Sassu wrote: > > > > > > > On Wed, 2024-02-21 at 15:24 -0600, Seth Forshee (DigitalOcean) > > > > > > > wrote: > > > > > > > > Use the vfs interfaces for fetching file capabilities for > > > > > > > > killpriv > > > > > > > > checks and from get_vfs_caps_from_disk(). While there, update > > > > > > > > the > > > > > > > > kerneldoc for get_vfs_caps_from_disk() to explain how it is > > > > > > > > different > > > > > > > > from vfs_get_fscaps_nosec(). > > > > > > > > > > > > > > > > Signed-off-by: Seth Forshee (DigitalOcean) > > > > > > > > --- > > > > > > > > security/commoncap.c | 30 +++++++++++++----------------- > > > > > > > > 1 file changed, 13 insertions(+), 17 deletions(-) > > > > > > > > > > > > > > > > diff --git a/security/commoncap.c b/security/commoncap.c > > > > > > > > index a0ff7e6092e0..751bb26a06a6 100644 > > > > > > > > --- a/security/commoncap.c > > > > > > > > +++ b/security/commoncap.c > > > > > > > > @@ -296,11 +296,12 @@ int cap_capset(struct cred *new, > > > > > > > > */ > > > > > > > > int cap_inode_need_killpriv(struct dentry *dentry) > > > > > > > > { > > > > > > > > - struct inode *inode = d_backing_inode(dentry); > > > > > > > > + struct vfs_caps caps; > > > > > > > > int error; > > > > > > > > > > > > > > > > - error = __vfs_getxattr(dentry, inode, XATTR_NAME_CAPS, > > > > > > > > NULL, 0); > > > > > > > > - return error > 0; > > > > > > > > + /* Use nop_mnt_idmap for no mapping here as mapping is > > > > > > > > unimportant */ > > > > > > > > + error = vfs_get_fscaps_nosec(&nop_mnt_idmap, dentry, > > > > > > > > &caps); > > > > > > > > + return error == 0; > > > > > > > > } > > > > > > > > > > > > > > > > /** > > > > > > > > @@ -323,7 +324,7 @@ int cap_inode_killpriv(struct mnt_idmap > > > > > > > > *idmap, struct dentry *dentry) > > > > > > > > { > > > > > > > > int error; > > > > > > > > > > > > > > > > - error = __vfs_removexattr(idmap, dentry, > > > > > > > > XATTR_NAME_CAPS); > > > > > > > > + error = vfs_remove_fscaps_nosec(idmap, dentry); > > > > > > > > > > > > > > Uhm, I see that the change is logically correct... but the > > > > > > > original > > > > > > > code was not correct, since the EVM post hook is not called (thus > > > > > > > the > > > > > > > HMAC is broken, or an xattr change is allowed on a portable > > > > > > > signature > > > > > > > which should be not). > > > > > > > > > > > > > > For completeness, the xattr change on a portable signature should > > > > > > > not > > > > > > > happen in the first place, so cap_inode_killpriv() would not be > > > > > > > called. > > > > > > > However, since EVM allows same value change, we are here. > > > > > > > > > > > > I really don't understand EVM that well and am pretty hesitant to > > > > > > try an > > > > > > change any of the logic around it. But I'll hazard a thought: should > > > > > > EVM > > > > > > have a inode_need_killpriv hook which returns an error in this > > > > > > situation? > > > > > > > > > > Uhm, I think it would not work without modifying > > > > > security_inode_need_killpriv() and the hook definition. > > > > > > > > > > Since cap_inode_need_killpriv() returns 1, the loop stops and EVM > > > > > would > > > > > not be invoked. We would need to continue the loop and let EVM know > > > > > what is the current return value. Then EVM can reject the change. > > > > > > > > > > An alternative way would be to detect that actually we are setting the > > > > > same value for inode metadata, and maybe not returning 1 from > > > > > cap_inode_need_killpriv(). > > > > > > > > > > I would prefer the second, since EVM allows same value change and we > > > > > would have an exception if there are fscaps. > > > > > > > > > > This solves only the case of portable signatures. We would need to > > > > > change cap_inode_need_killpriv() anyway to update the HMAC for mutable > > > > > files. > > > > > > > > I see. In any case this sounds like a matter for a separate patch > > > > series. > > > > > > Agreed. > > > > Christian, how realistic is that we don't kill priv if we are setting > > the same owner? > > > > Serge, would we be able to replace __vfs_removexattr() (or now > > vfs_get_fscaps_nosec()) with a security-equivalent alternative? > > It seems it is not necessary. > > security.capability removal occurs between evm_inode_setattr() and > evm_inode_post_setattr(), after the HMAC has been verified and before > the new HMAC is recalculated (without security.capability). > > So, all good. > > Christian, Seth, I pushed the kernel and the updated tests (all patches > are WIP): > > https://github.com/robertosassu/linux/commits/evm-fscaps-v2/ Resetting the IMA status flag is insufficient. The EVM status needs to be reset as well. Stefan's "ima: re-evaluate file integrity on file metadata change" patch does something similar for overlay. Mimi https://lore.kernel.org/linux-integrity/20240223172513.4049959-8-stefanb@linux.ibm.com/ > > https://github.com/robertosassu/ima-evm-utils/commits/evm-fscaps-v2/ > > > The tests are passing: > > https://github.com/robertosassu/ima-evm-utils/actions/runs/8159877004/job/22305521359 > > Roberto > >