Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp3150281rdb; Tue, 26 Dec 2023 19:13:03 -0800 (PST) X-Google-Smtp-Source: AGHT+IGmN5oxn7XE2i5cAUj2hB5oyK1AwHO6y2Umo1FOu73emxPwsb09MoXHv/ROxxAqza9D69H8 X-Received: by 2002:a05:6a20:3ca3:b0:196:21f5:1424 with SMTP id b35-20020a056a203ca300b0019621f51424mr308116pzj.4.1703646782826; Tue, 26 Dec 2023 19:13:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703646782; cv=none; d=google.com; s=arc-20160816; b=CRABn79z00oxWS4eAOS/LD7+VmeVUOwzImKrCm3AkDH6Gr3ntxVirWxusZaaS41Pj4 S9QhQMZFf6i4oEqrr7skbV+P1khHO42Jq8OgP3AtQYWYvBUte41USk077GwvGUgroDIk 7WUBtz7M4k1K/+tt0MwckPWZsUmEe/VsoMyS2mZo0WHrZtHBhcP8VjNl2SUkcVfMUomb wkW3NbypdKx2jjpeTl/krVjkwnEO0/gampMGiT+l6xm2W7dktfCAUvJIigfW3CQGDYUr QIof52e7BOTy/igQeUUvOxsiCN2CBNmPmXWd3NRhhha5igrzNhHkaCRpL6bcIHDHGPax 5Gpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:date:cc:to :from:subject:message-id:dkim-signature; bh=c9fQ+vhSJGXd98MvYdn4qO5cywrGCtI0rrUForI+urQ=; fh=wU8A2+/waTf10zMll2joUpZVGhjWoN9bNmcQLXOEuOY=; b=KP+qQpC94qy7LYnpZgezVVT5B31+CMoyq7H971pvCYekvLLnE89BtIZDo0fPNlVHyX 9Exu2b2zJAykW+vzQiSLuGnLJl26xwIipNr32fLYrOdkX9iUdk7atnW7Tu3vNRtUPGPY McK8VppfshbKg9PjyaifT03Bx8ROC26mjyI1OqiEExJalQEEgGatFRfocuIh8x3swnlU jiUroErJjg1AYqoQT4xDRCGUi+H+Iij2YP3Mc7POCLeNaUsPrbV9ZwXjFGopZjJfQkCM IJnkLI73FHBpLwQJ0vdFAY3QnurNummRLvtXY6clYATHB4O9HXb+7fpS4QKYJcl8L0QL uFYw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=e5hXre4F; spf=pass (google.com: domain of linux-nfs+bounces-821-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-nfs+bounces-821-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id b1-20020a63cf41000000b005cdf8b1fcdasi7863591pgj.194.2023.12.26.19.13.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Dec 2023 19:13:02 -0800 (PST) Received-SPF: pass (google.com: domain of linux-nfs+bounces-821-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=e5hXre4F; spf=pass (google.com: domain of linux-nfs+bounces-821-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-nfs+bounces-821-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 3E2A5B22142 for ; Wed, 27 Dec 2023 03:13:00 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9408923D7; Wed, 27 Dec 2023 03:12:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="e5hXre4F" X-Original-To: linux-nfs@vger.kernel.org Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7C55A4405; Wed, 27 Dec 2023 03:12:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.ibm.com Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3BR2gYuA019407; Wed, 27 Dec 2023 03:12:20 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : subject : from : to : cc : date : in-reply-to : references : content-type : mime-version : content-transfer-encoding; s=pp1; bh=c9fQ+vhSJGXd98MvYdn4qO5cywrGCtI0rrUForI+urQ=; b=e5hXre4FR/bmvbP1EdTAZndf7m6VWSY10rIEx1GrE30k59YPO7QgrHMLEZw6ETd+9AtT rBi4aQGakAKzc279B18qlt7my1l3zKIjV3sd1s3eK4qbQ4bvFNC9dwSA2eF/Sxm8rtYh 8ToAvnVeqns5nwbSRxLsMyFG46vXjDFSyisvin1D6mt61ez2LooZWmCdppoTYFYnXAzl qy5V5CIbgSFupGjOlvZIPpqwXhSQJo18Q7Yu3+UvUiyl1mlQjxZX6iWdjKcyv4mcEWjr 5kefXO4DDcGVGtbTsPDoLxKLoSUelsk4p6X3RJjKwfUsoQX0VvkoRKhQY+t4ZzpXZ4PB 9A== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3v8bcjrdrq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 27 Dec 2023 03:12:19 +0000 Received: from m0353725.ppops.net (m0353725.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 3BR2tLx8018208; Wed, 27 Dec 2023 03:12:18 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3v8bcjrdrb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 27 Dec 2023 03:12:18 +0000 Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 3BR2Canx029924; Wed, 27 Dec 2023 03:12:17 GMT Received: from smtprelay05.dal12v.mail.ibm.com ([172.16.1.7]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 3v6avng0sk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 27 Dec 2023 03:12:17 +0000 Received: from smtpav03.dal12v.mail.ibm.com (smtpav03.dal12v.mail.ibm.com [10.241.53.102]) by smtprelay05.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 3BR3CHNq57278768 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 27 Dec 2023 03:12:17 GMT Received: from smtpav03.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 161CD58060; Wed, 27 Dec 2023 03:12:17 +0000 (GMT) Received: from smtpav03.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9EB975803F; Wed, 27 Dec 2023 03:12:15 +0000 (GMT) Received: from li-f45666cc-3089-11b2-a85c-c57d1a57929f.ibm.com (unknown [9.61.184.58]) by smtpav03.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 27 Dec 2023 03:12:15 +0000 (GMT) Message-ID: <3cfd131856909f8a36f502498987dece7a294a3e.camel@linux.ibm.com> Subject: Re: [PATCH v8 22/24] evm: Make it independent from 'integrity' LSM From: Mimi Zohar To: Roberto Sassu , viro@zeniv.linux.org.uk, brauner@kernel.org, chuck.lever@oracle.com, jlayton@kernel.org, neilb@suse.de, kolga@netapp.com, Dai.Ngo@oracle.com, tom@talpey.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, dmitry.kasatkin@gmail.com, dhowells@redhat.com, jarkko@kernel.org, stephen.smalley.work@gmail.com, eparis@parisplace.org, casey@schaufler-ca.com, shuah@kernel.org, mic@digikod.net Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-nfs@vger.kernel.org, linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, keyrings@vger.kernel.org, selinux@vger.kernel.org, linux-kselftest@vger.kernel.org, Roberto Sassu Date: Tue, 26 Dec 2023 22:12:15 -0500 In-Reply-To: <20231214170834.3324559-23-roberto.sassu@huaweicloud.com> References: <20231214170834.3324559-1-roberto.sassu@huaweicloud.com> <20231214170834.3324559-23-roberto.sassu@huaweicloud.com> Content-Type: text/plain; charset="ISO-8859-15" X-Mailer: Evolution 3.28.5 (3.28.5-22.el8) Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 X-Proofpoint-GUID: SLw6GlFKe5t0xvSpBXoE3IkAIYHg9flH X-Proofpoint-ORIG-GUID: 50U8yRTnMXTyIllrq2rguBKkUj3Y8ROV X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-26_14,2023-12-26_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 bulkscore=0 phishscore=0 mlxlogscore=999 priorityscore=1501 malwarescore=0 impostorscore=0 adultscore=0 spamscore=0 clxscore=1015 mlxscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2311290000 definitions=main-2312270024 On Thu, 2023-12-14 at 18:08 +0100, Roberto Sassu wrote: > From: Roberto Sassu > > Define a new structure for EVM-specific metadata, called evm_iint_cache, > and embed it in the inode security blob. Introduce evm_iint_inode() to > retrieve metadata, and register evm_inode_alloc_security() for the > inode_alloc_security LSM hook, to initialize the structure (before > splitting metadata, this task was done by iint_init_always()). > > Keep the non-NULL checks after calling evm_iint_inode() except in > evm_inode_alloc_security(), to take into account inodes for which > security_inode_alloc() was not called. When using shared metadata, > obtaining a NULL pointer from integrity_iint_find() meant that the file > wasn't processed by IMA. ^wasn't in policy. Ok. So now regardless of the IMA policy, EVM always allocates and stores the EVM status. Depending on the IMA policy, the EVM status could be saved for a lot more inodes. > > Given that from now on EVM relies on its own metadata, remove the iint > parameter from evm_verifyxattr(). Also, directly retrieve the iint in > evm_verify_hmac(), called by both evm_verifyxattr() and > evm_verify_current_integrity(), since now there is no performance penalty > in retrieving EVM metadata (constant time). Ok. So the change only negatively impacts memory usage, not performance. > > Replicate the management of the IMA_NEW_FILE flag (now EVM_NEW_FILE), by > introducing evm_post_path_mknod() and evm_file_free() to respectively set > and clear the new flag at the same time IMA does. nit: Instead of "(now EVM_NEW_FILE)", add an additional sentence, saying "Define EVM_NEW_FILE". > A noteworthy difference > is that evm_post_path_mknod() cannot check if a file must be appraised. This is the result of making EVM independent of IMA's policy. Somewhere, here or above, this needs to be stated. > Also, since IMA_NEW_FILE is always cleared in ima_check_last_writer() if it > is set, it is not necessary to maintain an inode version in EVM to > replicate the IMA logic (the inode version check is in OR). IMA checking the i_version is to prevent unnecessarily having to re- calculate the file data hash, which depending on the file size could take a while. This is unnecessary for EVM, as re-calculating the EVM hmac is triggered anytime a trusted xattr is updated. So only the EVM new file flag needs to cleared on file free. > Also, move the EVM-specific flag EVM_IMMUTABLE_DIGSIG to > security/integrity/evm/evm.h, since that definition is now unnecessary in > the common integrity layer. > > Finally, switch to the LSM reservation mechanism for the EVM xattr, and > consequently decrement by one the number of xattrs to allocate in > security_inode_init_security(). > > Signed-off-by: Roberto Sassu -- thanks, Mimi