| Message ID | 20240130214620.3155380-2-stefanb@linux.ibm.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel+bounces-45347-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7301:2087:b0:106:209c:c626 with SMTP id
gs7csp1513618dyb;
Tue, 30 Jan 2024 13:48:22 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IHx6oD15HKLP3QscGif3O5InoMDPHcTi3CUvd7oa+YJPaYLOv1AixhUE5xGnWuacs67Sl1I
X-Received: by 2002:a05:6808:1183:b0:3be:2fbf:4509 with SMTP id
j3-20020a056808118300b003be2fbf4509mr566411oil.36.1706651302037;
Tue, 30 Jan 2024 13:48:22 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1706651302; cv=pass;
d=google.com; s=arc-20160816;
b=M352meH81s4CUyFxsowFtlPoerXtn03qvsue1DqLMOt4WgwreCuw1OqppqXcQpoGyV
Cu2G5EODI1YcsDa1Zw/wlso8sByyMmj9salBG0zMaj/22bgWrdleJnIiTvtGY5EIb0vX
CeWV5sRyN9CS2tPxLU/DvaNTa+SXTXwIIyaGZwufDOJ66ea420j7fqOzwv2PRKiVNDVy
RmypcVRPgrNgd3/q/7s8OgLWOFvEi4Tf1hicG+aPjZObsFDPNXAFidH6zzVTkLYJ6xLl
CoFhFkc7OYNsobXy5gX4rgiekea3tYAsdwU8dH2HTmCskjGii6ab6p8vsA9oE2a+i7ma
ZjVg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=content-transfer-encoding:mime-version:list-unsubscribe
:list-subscribe:list-id:precedence:references:in-reply-to:message-id
:date:subject:cc:to:from:dkim-signature;
bh=ziVlO+dnOtCXjBz/gV1l3+dnf+oYvewAs/EKyz4Wv3U=;
fh=ncez+Zuks3r0u/GH7GwMN7W85FP2C9GgAvOVpsEx2iM=;
b=API6kgqOJPLFoZ1UDkntn6G1XB5YYGTc5Thmyz7mRPVFi2TfnSjdwQvUlRsDaobH+M
3bx12e58X6Zz9Diz4CmUWfYGliRcgdQGfZBiH80IRXtt5UYFTtw/SLQFQcgCbFBOI1Xo
/00I+V2zh2JBgB2SGH++4f0bmdP18/k3DNjzN/83FLyY0jmIQEkta1faxJhbQy4WtgMX
qb3NMMxPnELIx8ZY14qIS2Hw94UWtpCHOwPFhREfNjV9Qo/BVpm4Fuj1wMAU4IWE0MA1
3XX+QH+8XmmKvhhi29NQWX56hRePWMqcxzPFhmZ4iQ/bY0udK+KHvnWpnr8tOkLq2JIs
ItQw==
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@ibm.com header.s=pp1 header.b=WS5ir9TD;
arc=pass (i=1 spf=pass spfdomain=linux.ibm.com dkim=pass
dkdomain=ibm.com dmarc=pass fromdomain=linux.ibm.com);
spf=pass (google.com: domain of
linux-kernel+bounces-45347-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45d1:ec00::1 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-45347-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org.
[2604:1380:45d1:ec00::1])
by mx.google.com with ESMTPS id
v11-20020ac8578b000000b0042be0e48c71si1293254qta.491.2024.01.30.13.48.21
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 30 Jan 2024 13:48:22 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-45347-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
dkim=pass header.i=@ibm.com header.s=pp1 header.b=WS5ir9TD;
arc=pass (i=1 spf=pass spfdomain=linux.ibm.com dkim=pass
dkdomain=ibm.com dmarc=pass fromdomain=linux.ibm.com);
spf=pass (google.com: domain of
linux-kernel+bounces-45347-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45d1:ec00::1 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-45347-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ny.mirrors.kernel.org (Postfix) with ESMTPS id BF18A1C20A80
for <ouuuleilei@gmail.com>; Tue, 30 Jan 2024 21:48:21 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id 5938C78688;
Tue, 30 Jan 2024 21:47:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com
header.b="WS5ir9TD"
Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com
[148.163.158.5])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8168678B64;
Tue, 30 Jan 2024 21:46:52 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
arc=none smtp.client-ip=148.163.158.5
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1706651215; cv=none;
b=Z6AJwCmrOU//8FXYgR0cDLBgeJimaXvM5gI5ZMckog97a2fShbAdaxpX0hgiLyV70b50ixJSlSz6qirSTQtZkdBRI5OYCpssAJPL5DvzfJyMhq/rKQcHTOtWuS6LJVYlJhygRJSS4UyR/tNY2QAhekRCsAXtnx7xnQReC7FfXDw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1706651215; c=relaxed/simple;
bh=HLpwlFI69iotr1hPLjzeM18DSEwoMiQ2mxy0WSHuluk=;
h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
MIME-Version;
b=sSSc//Qxav5UUM8AMk1dZo4bzKrm3JnyZz14VM6ImH8F0UiIGTo7oGDyVpfm46qBGZGsj2mXQ3MZKq4LhlcVUhLQ4L0LkByDOazI1Hr0eEGhbksjDjCToxxcRDkJknopWWqzbB4xrKyDVeVWIW7NRic7552O69clYKjdDD9tyAY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=linux.ibm.com;
spf=pass smtp.mailfrom=linux.ibm.com;
dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com
header.b=WS5ir9TD; arc=none smtp.client-ip=148.163.158.5
Authentication-Results: smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=linux.ibm.com
Authentication-Results: smtp.subspace.kernel.org;
spf=pass smtp.mailfrom=linux.ibm.com
Received: from pps.filterd (m0353722.ppops.net [127.0.0.1])
by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id
40ULXLnV012708;
Tue, 30 Jan 2024 21:46:30 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com;
h=from : to : cc : subject
: date : message-id : in-reply-to : references : mime-version :
content-transfer-encoding; s=pp1;
bh=ziVlO+dnOtCXjBz/gV1l3+dnf+oYvewAs/EKyz4Wv3U=;
b=WS5ir9TDTufmdS/1nR6z0UqzkzV2HvUV7VdRfk+owYB4AYGM1QUAbQU/U0sPpTuO55Mf
kvd9JSVxSvcXN0ZQBmxjDNPxZyEWJBijj/lP0eLMetEJc3+oBV9QcmRNN15cAf4WkKw8
QtwjFrg00OTUTCNG+6QZ9ZXXxO4vfZCAdRR6wphyb7lZqHaAdDm+VhWSeXYVWzrcDM5s
z81aPQsQaa8vHWGMupHigaImSMh2TFtqN3YMyLGgoeo4w7xUr54rsFEdvoEfIa6A17FG
UjGGG8E2x8DVoP7wh6dW0VXmr7+BQAMfb/X6ZW10jcfNWyj5x4U0yb5j/Nru5Gw7Srhu tg==
Received: from pps.reinject (localhost [127.0.0.1])
by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3vy94n07kj-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
Tue, 30 Jan 2024 21:46:30 +0000
Received: from m0353722.ppops.net (m0353722.ppops.net [127.0.0.1])
by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 40ULYcX2015260;
Tue, 30 Jan 2024 21:46:29 GMT
Received: from ppma21.wdc07v.mail.ibm.com
(5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91])
by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3vy94n07k1-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
Tue, 30 Jan 2024 21:46:29 +0000
Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1])
by ppma21.wdc07v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id
40UJ86Jm010564;
Tue, 30 Jan 2024 21:46:28 GMT
Received: from smtprelay07.dal12v.mail.ibm.com ([172.16.1.9])
by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 3vwd5nsf5r-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
Tue, 30 Jan 2024 21:46:28 +0000
Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com
[10.241.53.104])
by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
40ULkS3p31326538
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
Tue, 30 Jan 2024 21:46:28 GMT
Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1])
by IMSVA (Postfix) with ESMTP id E816558056;
Tue, 30 Jan 2024 21:46:27 +0000 (GMT)
Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1])
by IMSVA (Postfix) with ESMTP id 4BF5E58052;
Tue, 30 Jan 2024 21:46:27 +0000 (GMT)
Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153])
by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP;
Tue, 30 Jan 2024 21:46:27 +0000 (GMT)
From: Stefan Berger <stefanb@linux.ibm.com>
To: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-unionfs@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, paul@paul-moore.com, jmorris@namei.org,
serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com,
amir73il@gmail.com, miklos@szeredi.hu,
Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH 1/5] security: allow finer granularity in permitting copy-up
of security xattrs
Date: Tue, 30 Jan 2024 16:46:16 -0500
Message-ID: <20240130214620.3155380-2-stefanb@linux.ibm.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20240130214620.3155380-1-stefanb@linux.ibm.com>
References: <20240130214620.3155380-1-stefanb@linux.ibm.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: nsNshzt1SCogKEXlGy533T4CUsAVBwI3
X-Proofpoint-ORIG-GUID: YWDCNKq7p8-nPtFrvnuRxTAM3vP-0P-x
X-Proofpoint-Virus-Version: vendor=baseguard
engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26
definitions=2024-01-30_12,2024-01-30_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
mlxlogscore=562
impostorscore=0 phishscore=0 adultscore=0 clxscore=1015 lowpriorityscore=0
bulkscore=0 spamscore=0 malwarescore=0 priorityscore=1501 suspectscore=0
mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1
engine=8.12.0-2311290000 definitions=main-2401300162
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1789553595996965729
X-GMAIL-MSGID: 1789553595996965729
|
| Series |
evm: Support signatures on stacked filesystem
|
|
Commit Message
Stefan Berger
Jan. 30, 2024, 9:46 p.m. UTC
Copying up xattrs is solely based on the security xattr name. For finer
granularity add a dentry parameter to the security_inode_copy_up_xattr
hook definition, allowing decisions to be based on the xattr content as
well.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
fs/overlayfs/copy_up.c | 2 +-
include/linux/evm.h | 2 +-
include/linux/lsm_hook_defs.h | 3 ++-
include/linux/security.h | 4 ++--
security/integrity/evm/evm_main.c | 2 +-
security/security.c | 7 ++++---
security/selinux/hooks.c | 2 +-
security/smack/smack_lsm.c | 2 +-
8 files changed, 13 insertions(+), 11 deletions(-)
Comments
On Tue, Jan 30, 2024 at 11:46 PM Stefan Berger <stefanb@linux.ibm.com> wrote: > > Copying up xattrs is solely based on the security xattr name. For finer > granularity add a dentry parameter to the security_inode_copy_up_xattr > hook definition, allowing decisions to be based on the xattr content as > well. > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > --- > fs/overlayfs/copy_up.c | 2 +- > include/linux/evm.h | 2 +- > include/linux/lsm_hook_defs.h | 3 ++- > include/linux/security.h | 4 ++-- > security/integrity/evm/evm_main.c | 2 +- > security/security.c | 7 ++++--- > security/selinux/hooks.c | 2 +- > security/smack/smack_lsm.c | 2 +- > 8 files changed, 13 insertions(+), 11 deletions(-) > > diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c > index b8e25ca51016..bd9ddcefb7a7 100644 > --- a/fs/overlayfs/copy_up.c > +++ b/fs/overlayfs/copy_up.c > @@ -114,7 +114,7 @@ int ovl_copy_xattr(struct super_block *sb, const struct path *oldpath, struct de > if (ovl_is_private_xattr(sb, name)) > continue; > > - error = security_inode_copy_up_xattr(name); > + error = security_inode_copy_up_xattr(old, name); What do you think about: error = security_inode_copy_up_xattr(name, NULL, 0); and then later... error = security_inode_copy_up_xattr(name, value, size); I am asking because overlayfs uses mnt_idmap(path->mnt) and you have used nop_mnt_idmap inside evm hook. this does not look right to me? Thanks, Amir.
On Wed, Jan 31, 2024 at 03:25:29PM +0200, Amir Goldstein wrote: > On Tue, Jan 30, 2024 at 11:46 PM Stefan Berger <stefanb@linux.ibm.com> wrote: > > > > Copying up xattrs is solely based on the security xattr name. For finer > > granularity add a dentry parameter to the security_inode_copy_up_xattr > > hook definition, allowing decisions to be based on the xattr content as > > well. > > > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > > --- > > fs/overlayfs/copy_up.c | 2 +- > > include/linux/evm.h | 2 +- > > include/linux/lsm_hook_defs.h | 3 ++- > > include/linux/security.h | 4 ++-- > > security/integrity/evm/evm_main.c | 2 +- > > security/security.c | 7 ++++--- > > security/selinux/hooks.c | 2 +- > > security/smack/smack_lsm.c | 2 +- > > 8 files changed, 13 insertions(+), 11 deletions(-) > > > > diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c > > index b8e25ca51016..bd9ddcefb7a7 100644 > > --- a/fs/overlayfs/copy_up.c > > +++ b/fs/overlayfs/copy_up.c > > @@ -114,7 +114,7 @@ int ovl_copy_xattr(struct super_block *sb, const struct path *oldpath, struct de > > if (ovl_is_private_xattr(sb, name)) > > continue; > > > > - error = security_inode_copy_up_xattr(name); > > + error = security_inode_copy_up_xattr(old, name); > > What do you think about: > > error = security_inode_copy_up_xattr(name, NULL, 0); > > and then later... > > error = security_inode_copy_up_xattr(name, value, size); > > I am asking because overlayfs uses mnt_idmap(path->mnt) and you > have used nop_mnt_idmap inside evm hook. > this does not look right to me? So it's relevant if they interact with xattrs that care about the idmapping and that's POSIX ACLs and fscaps. And only if they perform permission checks such as posix_acl_update_mode() or something. IOW, it depends on what exactly EVM is doing. IIRC, I already added custom security_*() hooks specifically for POSIX ACLs as they can't be retrieved through vfs_xattr*() helpers anymore.
On 1/31/24 09:25, Christian Brauner wrote: > On Wed, Jan 31, 2024 at 03:25:29PM +0200, Amir Goldstein wrote: >> On Tue, Jan 30, 2024 at 11:46 PM Stefan Berger <stefanb@linux.ibm.com> wrote: >>> >>> Copying up xattrs is solely based on the security xattr name. For finer >>> granularity add a dentry parameter to the security_inode_copy_up_xattr >>> hook definition, allowing decisions to be based on the xattr content as >>> well. >>> >>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> >>> --- >>> fs/overlayfs/copy_up.c | 2 +- >>> include/linux/evm.h | 2 +- >>> include/linux/lsm_hook_defs.h | 3 ++- >>> include/linux/security.h | 4 ++-- >>> security/integrity/evm/evm_main.c | 2 +- >>> security/security.c | 7 ++++--- >>> security/selinux/hooks.c | 2 +- >>> security/smack/smack_lsm.c | 2 +- >>> 8 files changed, 13 insertions(+), 11 deletions(-) >>> >>> diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c >>> index b8e25ca51016..bd9ddcefb7a7 100644 >>> --- a/fs/overlayfs/copy_up.c >>> +++ b/fs/overlayfs/copy_up.c >>> @@ -114,7 +114,7 @@ int ovl_copy_xattr(struct super_block *sb, const struct path *oldpath, struct de >>> if (ovl_is_private_xattr(sb, name)) >>> continue; >>> >>> - error = security_inode_copy_up_xattr(name); >>> + error = security_inode_copy_up_xattr(old, name); >> >> What do you think about: >> >> error = security_inode_copy_up_xattr(name, NULL, 0); >> >> and then later... >> >> error = security_inode_copy_up_xattr(name, value, size); >> >> I am asking because overlayfs uses mnt_idmap(path->mnt) and you >> have used nop_mnt_idmap inside evm hook. >> this does not look right to me? > > So it's relevant if they interact with xattrs that care about the > idmapping and that's POSIX ACLs and fscaps. And only if they perform > permission checks such as posix_acl_update_mode() or something. IOW, it > depends on what exactly EVM is doing. In 2/5 we are reading the value of security.evm to look at its contents. > > IIRC, I already added custom security_*() hooks specifically for POSIX > ACLs as they can't be retrieved through vfs_xattr*() helpers anymore.
Hi Stefan, kernel test robot noticed the following build errors: [auto build test ERROR on zohar-integrity/next-integrity] [also build test ERROR on pcmoore-selinux/next linus/master v6.8-rc2 next-20240131] [cannot apply to mszeredi-vfs/overlayfs-next mszeredi-vfs/next] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/Stefan-Berger/security-allow-finer-granularity-in-permitting-copy-up-of-security-xattrs/20240131-054854 base: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity patch link: https://lore.kernel.org/r/20240130214620.3155380-2-stefanb%40linux.ibm.com patch subject: [PATCH 1/5] security: allow finer granularity in permitting copy-up of security xattrs config: i386-buildonly-randconfig-002-20240131 (https://download.01.org/0day-ci/archive/20240201/202402010014.MArAf4UB-lkp@intel.com/config) compiler: clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240201/202402010014.MArAf4UB-lkp@intel.com/reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp@intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202402010014.MArAf4UB-lkp@intel.com/ All errors (new ones prefixed by >>): >> security/security.c:2627:38: error: too many arguments to function call, expected single argument 'name', have 2 arguments 2627 | return evm_inode_copy_up_xattr(src, name); | ~~~~~~~~~~~~~~~~~~~~~~~ ^~~~ include/linux/evm.h:121:20: note: 'evm_inode_copy_up_xattr' declared here 121 | static inline int evm_inode_copy_up_xattr(const char *name) | ^ ~~~~~~~~~~~~~~~~ 1 error generated. vim +/name +2627 security/security.c 2596 2597 /** 2598 * security_inode_copy_up_xattr() - Filter xattrs in an overlayfs copy-up op 2599 * @src: union dentry of copy-up file 2600 * @name: xattr name 2601 * 2602 * Filter the xattrs being copied up when a unioned file is copied up from a 2603 * lower layer to the union/overlay layer. The caller is responsible for 2604 * reading and writing the xattrs, this hook is merely a filter. 2605 * 2606 * Return: Returns 0 to accept the xattr, 1 to discard the xattr, -EOPNOTSUPP 2607 * if the security module does not know about attribute, or a negative 2608 * error code to abort the copy up. 2609 */ 2610 int security_inode_copy_up_xattr(struct dentry *src, const char *name) 2611 { 2612 struct security_hook_list *hp; 2613 int rc; 2614 2615 /* 2616 * The implementation can return 0 (accept the xattr), 1 (discard the 2617 * xattr), -EOPNOTSUPP if it does not know anything about the xattr or 2618 * any other error code in case of an error. 2619 */ 2620 hlist_for_each_entry(hp, 2621 &security_hook_heads.inode_copy_up_xattr, list) { 2622 rc = hp->hook.inode_copy_up_xattr(src, name); 2623 if (rc != LSM_RET_DEFAULT(inode_copy_up_xattr)) 2624 return rc; 2625 } 2626 > 2627 return evm_inode_copy_up_xattr(src, name); 2628 } 2629 EXPORT_SYMBOL(security_inode_copy_up_xattr); 2630
Hi Stefan, kernel test robot noticed the following build errors: [auto build test ERROR on zohar-integrity/next-integrity] [also build test ERROR on pcmoore-selinux/next linus/master v6.8-rc2 next-20240131] [cannot apply to mszeredi-vfs/overlayfs-next mszeredi-vfs/next] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/Stefan-Berger/security-allow-finer-granularity-in-permitting-copy-up-of-security-xattrs/20240131-054854 base: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity patch link: https://lore.kernel.org/r/20240130214620.3155380-2-stefanb%40linux.ibm.com patch subject: [PATCH 1/5] security: allow finer granularity in permitting copy-up of security xattrs config: x86_64-defconfig (https://download.01.org/0day-ci/archive/20240201/202402010225.BXp3LrvU-lkp@intel.com/config) compiler: gcc-11 (Debian 11.3.0-12) 11.3.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240201/202402010225.BXp3LrvU-lkp@intel.com/reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp@intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202402010225.BXp3LrvU-lkp@intel.com/ All errors (new ones prefixed by >>): security/security.c: In function 'security_inode_copy_up_xattr': >> security/security.c:2627:40: error: passing argument 1 of 'evm_inode_copy_up_xattr' from incompatible pointer type [-Werror=incompatible-pointer-types] 2627 | return evm_inode_copy_up_xattr(src, name); | ^~~ | | | struct dentry * In file included from security/security.c:24: include/linux/evm.h:121:56: note: expected 'const char *' but argument is of type 'struct dentry *' 121 | static inline int evm_inode_copy_up_xattr(const char *name) | ~~~~~~~~~~~~^~~~ >> security/security.c:2627:16: error: too many arguments to function 'evm_inode_copy_up_xattr' 2627 | return evm_inode_copy_up_xattr(src, name); | ^~~~~~~~~~~~~~~~~~~~~~~ In file included from security/security.c:24: include/linux/evm.h:121:20: note: declared here 121 | static inline int evm_inode_copy_up_xattr(const char *name) | ^~~~~~~~~~~~~~~~~~~~~~~ cc1: some warnings being treated as errors vim +/evm_inode_copy_up_xattr +2627 security/security.c 2596 2597 /** 2598 * security_inode_copy_up_xattr() - Filter xattrs in an overlayfs copy-up op 2599 * @src: union dentry of copy-up file 2600 * @name: xattr name 2601 * 2602 * Filter the xattrs being copied up when a unioned file is copied up from a 2603 * lower layer to the union/overlay layer. The caller is responsible for 2604 * reading and writing the xattrs, this hook is merely a filter. 2605 * 2606 * Return: Returns 0 to accept the xattr, 1 to discard the xattr, -EOPNOTSUPP 2607 * if the security module does not know about attribute, or a negative 2608 * error code to abort the copy up. 2609 */ 2610 int security_inode_copy_up_xattr(struct dentry *src, const char *name) 2611 { 2612 struct security_hook_list *hp; 2613 int rc; 2614 2615 /* 2616 * The implementation can return 0 (accept the xattr), 1 (discard the 2617 * xattr), -EOPNOTSUPP if it does not know anything about the xattr or 2618 * any other error code in case of an error. 2619 */ 2620 hlist_for_each_entry(hp, 2621 &security_hook_heads.inode_copy_up_xattr, list) { 2622 rc = hp->hook.inode_copy_up_xattr(src, name); 2623 if (rc != LSM_RET_DEFAULT(inode_copy_up_xattr)) 2624 return rc; 2625 } 2626 > 2627 return evm_inode_copy_up_xattr(src, name); 2628 } 2629 EXPORT_SYMBOL(security_inode_copy_up_xattr); 2630
On Wed, Jan 31, 2024 at 09:56:25AM -0500, Stefan Berger wrote: > > > On 1/31/24 09:25, Christian Brauner wrote: > > On Wed, Jan 31, 2024 at 03:25:29PM +0200, Amir Goldstein wrote: > > > On Tue, Jan 30, 2024 at 11:46 PM Stefan Berger <stefanb@linux.ibm.com> wrote: > > > > > > > > Copying up xattrs is solely based on the security xattr name. For finer > > > > granularity add a dentry parameter to the security_inode_copy_up_xattr > > > > hook definition, allowing decisions to be based on the xattr content as > > > > well. > > > > > > > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > > > > --- > > > > fs/overlayfs/copy_up.c | 2 +- > > > > include/linux/evm.h | 2 +- > > > > include/linux/lsm_hook_defs.h | 3 ++- > > > > include/linux/security.h | 4 ++-- > > > > security/integrity/evm/evm_main.c | 2 +- > > > > security/security.c | 7 ++++--- > > > > security/selinux/hooks.c | 2 +- > > > > security/smack/smack_lsm.c | 2 +- > > > > 8 files changed, 13 insertions(+), 11 deletions(-) > > > > > > > > diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c > > > > index b8e25ca51016..bd9ddcefb7a7 100644 > > > > --- a/fs/overlayfs/copy_up.c > > > > +++ b/fs/overlayfs/copy_up.c > > > > @@ -114,7 +114,7 @@ int ovl_copy_xattr(struct super_block *sb, const struct path *oldpath, struct de > > > > if (ovl_is_private_xattr(sb, name)) > > > > continue; > > > > > > > > - error = security_inode_copy_up_xattr(name); > > > > + error = security_inode_copy_up_xattr(old, name); > > > > > > What do you think about: > > > > > > error = security_inode_copy_up_xattr(name, NULL, 0); > > > > > > and then later... > > > > > > error = security_inode_copy_up_xattr(name, value, size); > > > > > > I am asking because overlayfs uses mnt_idmap(path->mnt) and you > > > have used nop_mnt_idmap inside evm hook. > > > this does not look right to me? > > > > So it's relevant if they interact with xattrs that care about the > > idmapping and that's POSIX ACLs and fscaps. And only if they perform > > permission checks such as posix_acl_update_mode() or something. IOW, it > > depends on what exactly EVM is doing. > > In 2/5 we are reading the value of security.evm to look at its contents. I'm not sure what this is supposed to be telling me in relation to the original question though. :) security.evm doesn't store any {g,u}id information afaict. IOW, it shouldn't matter?
On Thu, Feb 1, 2024 at 3:35 PM Christian Brauner <brauner@kernel.org> wrote: > > On Wed, Jan 31, 2024 at 09:56:25AM -0500, Stefan Berger wrote: > > > > > > On 1/31/24 09:25, Christian Brauner wrote: > > > On Wed, Jan 31, 2024 at 03:25:29PM +0200, Amir Goldstein wrote: > > > > On Tue, Jan 30, 2024 at 11:46 PM Stefan Berger <stefanb@linux.ibm.com> wrote: > > > > > > > > > > Copying up xattrs is solely based on the security xattr name. For finer > > > > > granularity add a dentry parameter to the security_inode_copy_up_xattr > > > > > hook definition, allowing decisions to be based on the xattr content as > > > > > well. > > > > > > > > > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > > > > > --- > > > > > fs/overlayfs/copy_up.c | 2 +- > > > > > include/linux/evm.h | 2 +- > > > > > include/linux/lsm_hook_defs.h | 3 ++- > > > > > include/linux/security.h | 4 ++-- > > > > > security/integrity/evm/evm_main.c | 2 +- > > > > > security/security.c | 7 ++++--- > > > > > security/selinux/hooks.c | 2 +- > > > > > security/smack/smack_lsm.c | 2 +- > > > > > 8 files changed, 13 insertions(+), 11 deletions(-) > > > > > > > > > > diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c > > > > > index b8e25ca51016..bd9ddcefb7a7 100644 > > > > > --- a/fs/overlayfs/copy_up.c > > > > > +++ b/fs/overlayfs/copy_up.c > > > > > @@ -114,7 +114,7 @@ int ovl_copy_xattr(struct super_block *sb, const struct path *oldpath, struct de > > > > > if (ovl_is_private_xattr(sb, name)) > > > > > continue; > > > > > > > > > > - error = security_inode_copy_up_xattr(name); > > > > > + error = security_inode_copy_up_xattr(old, name); > > > > > > > > What do you think about: > > > > > > > > error = security_inode_copy_up_xattr(name, NULL, 0); > > > > > > > > and then later... > > > > > > > > error = security_inode_copy_up_xattr(name, value, size); > > > > > > > > I am asking because overlayfs uses mnt_idmap(path->mnt) and you > > > > have used nop_mnt_idmap inside evm hook. > > > > this does not look right to me? > > > > > > So it's relevant if they interact with xattrs that care about the > > > idmapping and that's POSIX ACLs and fscaps. And only if they perform > > > permission checks such as posix_acl_update_mode() or something. IOW, it > > > depends on what exactly EVM is doing. > > > > In 2/5 we are reading the value of security.evm to look at its contents. > > I'm not sure what this is supposed to be telling me in relation to the > original question though. :) security.evm doesn't store any {g,u}id > information afaict. IOW, it shouldn't matter? But it does. in evm_calc_hmac_or_hash() => hmac_add_misc(): hmac_misc.uid = from_kuid(&init_user_ns, inode->i_uid); hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid); I guess as far as EVM is concerned, it should always be interested in the absolute uig/gid values of the inode. Thanks, Amir.
On 1/31/24 08:25, Amir Goldstein wrote: > On Tue, Jan 30, 2024 at 11:46 PM Stefan Berger <stefanb@linux.ibm.com> wrote: >> >> Copying up xattrs is solely based on the security xattr name. For finer >> granularity add a dentry parameter to the security_inode_copy_up_xattr >> hook definition, allowing decisions to be based on the xattr content as >> well. >> >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> >> --- >> fs/overlayfs/copy_up.c | 2 +- >> include/linux/evm.h | 2 +- >> include/linux/lsm_hook_defs.h | 3 ++- >> include/linux/security.h | 4 ++-- >> security/integrity/evm/evm_main.c | 2 +- >> security/security.c | 7 ++++--- >> security/selinux/hooks.c | 2 +- >> security/smack/smack_lsm.c | 2 +- >> 8 files changed, 13 insertions(+), 11 deletions(-) >> >> diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c >> index b8e25ca51016..bd9ddcefb7a7 100644 >> --- a/fs/overlayfs/copy_up.c >> +++ b/fs/overlayfs/copy_up.c >> @@ -114,7 +114,7 @@ int ovl_copy_xattr(struct super_block *sb, const struct path *oldpath, struct de >> if (ovl_is_private_xattr(sb, name)) >> continue; >> >> - error = security_inode_copy_up_xattr(name); >> + error = security_inode_copy_up_xattr(old, name); > > What do you think about: > > error = security_inode_copy_up_xattr(name, NULL, 0); We need 'old'. > > and then later... > > error = security_inode_copy_up_xattr(name, value, size); Are these parameter used to first query for the necessary size of the buffer and then provide the buffer to fill it? Or should the function rather take an existing buffer and realloc it if necessary and place the value of the xattr into it? Unfortunately this function currently returns '1' for 'discard', so returning the size of the xattr value from it maybe not ideal but it would require maybe yet another parameter that indicates what the size of the xattr value is. Stefan > > I am asking because overlayfs uses mnt_idmap(path->mnt) and you > have used nop_mnt_idmap inside evm hook. > this does not look right to me? > > Thanks, > Amir.
On Thu, Feb 01, 2024 at 04:18:32PM +0200, Amir Goldstein wrote: > On Thu, Feb 1, 2024 at 3:35 PM Christian Brauner <brauner@kernel.org> wrote: > > > > On Wed, Jan 31, 2024 at 09:56:25AM -0500, Stefan Berger wrote: > > > > > > > > > On 1/31/24 09:25, Christian Brauner wrote: > > > > On Wed, Jan 31, 2024 at 03:25:29PM +0200, Amir Goldstein wrote: > > > > > On Tue, Jan 30, 2024 at 11:46 PM Stefan Berger <stefanb@linux.ibm.com> wrote: > > > > > > > > > > > > Copying up xattrs is solely based on the security xattr name. For finer > > > > > > granularity add a dentry parameter to the security_inode_copy_up_xattr > > > > > > hook definition, allowing decisions to be based on the xattr content as > > > > > > well. > > > > > > > > > > > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > > > > > > --- > > > > > > fs/overlayfs/copy_up.c | 2 +- > > > > > > include/linux/evm.h | 2 +- > > > > > > include/linux/lsm_hook_defs.h | 3 ++- > > > > > > include/linux/security.h | 4 ++-- > > > > > > security/integrity/evm/evm_main.c | 2 +- > > > > > > security/security.c | 7 ++++--- > > > > > > security/selinux/hooks.c | 2 +- > > > > > > security/smack/smack_lsm.c | 2 +- > > > > > > 8 files changed, 13 insertions(+), 11 deletions(-) > > > > > > > > > > > > diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c > > > > > > index b8e25ca51016..bd9ddcefb7a7 100644 > > > > > > --- a/fs/overlayfs/copy_up.c > > > > > > +++ b/fs/overlayfs/copy_up.c > > > > > > @@ -114,7 +114,7 @@ int ovl_copy_xattr(struct super_block *sb, const struct path *oldpath, struct de > > > > > > if (ovl_is_private_xattr(sb, name)) > > > > > > continue; > > > > > > > > > > > > - error = security_inode_copy_up_xattr(name); > > > > > > + error = security_inode_copy_up_xattr(old, name); > > > > > > > > > > What do you think about: > > > > > > > > > > error = security_inode_copy_up_xattr(name, NULL, 0); > > > > > > > > > > and then later... > > > > > > > > > > error = security_inode_copy_up_xattr(name, value, size); > > > > > > > > > > I am asking because overlayfs uses mnt_idmap(path->mnt) and you > > > > > have used nop_mnt_idmap inside evm hook. > > > > > this does not look right to me? > > > > > > > > So it's relevant if they interact with xattrs that care about the > > > > idmapping and that's POSIX ACLs and fscaps. And only if they perform > > > > permission checks such as posix_acl_update_mode() or something. IOW, it > > > > depends on what exactly EVM is doing. > > > > > > In 2/5 we are reading the value of security.evm to look at its contents. > > > > I'm not sure what this is supposed to be telling me in relation to the > > original question though. :) security.evm doesn't store any {g,u}id > > information afaict. IOW, it shouldn't matter? > > But it does. in evm_calc_hmac_or_hash() => hmac_add_misc(): > > hmac_misc.uid = from_kuid(&init_user_ns, inode->i_uid); > hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid); > > I guess as far as EVM is concerned, it should always be interested in the > absolute uig/gid values of the inode. There we go, thanks Amir. Yes, these EVM values can't be relative to any idmappings. If inode->i_uid has kuid 100000 and 100000 maps to zero in the caller's user namespace then you'd be storing hmac_misc.{g,u}id zero. That would be problematic as it would give the impression that real root caused that hmac to be written. So this really needs to store 100000 to make it clear that this was an unprivileged user that created these values.
diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c index b8e25ca51016..bd9ddcefb7a7 100644 --- a/fs/overlayfs/copy_up.c +++ b/fs/overlayfs/copy_up.c @@ -114,7 +114,7 @@ int ovl_copy_xattr(struct super_block *sb, const struct path *oldpath, struct de if (ovl_is_private_xattr(sb, name)) continue; - error = security_inode_copy_up_xattr(name); + error = security_inode_copy_up_xattr(old, name); if (error < 0 && error != -EOPNOTSUPP) break; if (error == 1) { diff --git a/include/linux/evm.h b/include/linux/evm.h index 36ec884320d9..d8c0343436b8 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -31,7 +31,7 @@ extern void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, size_t xattr_value_len); -extern int evm_inode_copy_up_xattr(const char *name); +extern int evm_inode_copy_up_xattr(struct dentry *dentry, const char *name); extern int evm_inode_removexattr(struct mnt_idmap *idmap, struct dentry *dentry, const char *xattr_name); extern void evm_inode_post_removexattr(struct dentry *dentry, diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 185924c56378..7dd61f51d84a 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -163,7 +163,8 @@ LSM_HOOK(int, 0, inode_listsecurity, struct inode *inode, char *buffer, size_t buffer_size) LSM_HOOK(void, LSM_RET_VOID, inode_getsecid, struct inode *inode, u32 *secid) LSM_HOOK(int, 0, inode_copy_up, struct dentry *src, struct cred **new) -LSM_HOOK(int, -EOPNOTSUPP, inode_copy_up_xattr, const char *name) +LSM_HOOK(int, -EOPNOTSUPP, inode_copy_up_xattr, struct dentry *src, + const char *name) LSM_HOOK(int, 0, kernfs_init_security, struct kernfs_node *kn_dir, struct kernfs_node *kn) LSM_HOOK(int, 0, file_permission, struct file *file, int mask) diff --git a/include/linux/security.h b/include/linux/security.h index d0eb20f90b26..9fc9ca6284d6 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -387,7 +387,7 @@ int security_inode_setsecurity(struct inode *inode, const char *name, const void int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); void security_inode_getsecid(struct inode *inode, u32 *secid); int security_inode_copy_up(struct dentry *src, struct cred **new); -int security_inode_copy_up_xattr(const char *name); +int security_inode_copy_up_xattr(struct dentry *src, const char *name); int security_kernfs_init_security(struct kernfs_node *kn_dir, struct kernfs_node *kn); int security_file_permission(struct file *file, int mask); @@ -980,7 +980,7 @@ static inline int security_kernfs_init_security(struct kernfs_node *kn_dir, return 0; } -static inline int security_inode_copy_up_xattr(const char *name) +static inline int security_inode_copy_up_xattr(struct dentry *src, const char *name) { return -EOPNOTSUPP; } diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index cc7956d7878b..2555aa4501ae 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -896,7 +896,7 @@ void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) evm_update_evmxattr(dentry, NULL, NULL, 0); } -int evm_inode_copy_up_xattr(const char *name) +int evm_inode_copy_up_xattr(struct dentry *src, const char *name) { if (strcmp(name, XATTR_NAME_EVM) == 0) return 1; /* Discard */ diff --git a/security/security.c b/security/security.c index 0144a98d3712..ee63863c1dc0 100644 --- a/security/security.c +++ b/security/security.c @@ -2596,6 +2596,7 @@ EXPORT_SYMBOL(security_inode_copy_up); /** * security_inode_copy_up_xattr() - Filter xattrs in an overlayfs copy-up op + * @src: union dentry of copy-up file * @name: xattr name * * Filter the xattrs being copied up when a unioned file is copied up from a @@ -2606,7 +2607,7 @@ EXPORT_SYMBOL(security_inode_copy_up); * if the security module does not know about attribute, or a negative * error code to abort the copy up. */ -int security_inode_copy_up_xattr(const char *name) +int security_inode_copy_up_xattr(struct dentry *src, const char *name) { struct security_hook_list *hp; int rc; @@ -2618,12 +2619,12 @@ int security_inode_copy_up_xattr(const char *name) */ hlist_for_each_entry(hp, &security_hook_heads.inode_copy_up_xattr, list) { - rc = hp->hook.inode_copy_up_xattr(name); + rc = hp->hook.inode_copy_up_xattr(src, name); if (rc != LSM_RET_DEFAULT(inode_copy_up_xattr)) return rc; } - return evm_inode_copy_up_xattr(name); + return evm_inode_copy_up_xattr(src, name); } EXPORT_SYMBOL(security_inode_copy_up_xattr); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a6bf90ace84c..ebb8876837c6 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3530,7 +3530,7 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new) return 0; } -static int selinux_inode_copy_up_xattr(const char *name) +static int selinux_inode_copy_up_xattr(struct dentry *dentry, const char *name) { /* The copy_up hook above sets the initial context on an inode, but we * don't then want to overwrite it by blindly copying all the lower diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 0fdbf04cc258..bffca165f07f 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4873,7 +4873,7 @@ static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) return 0; } -static int smack_inode_copy_up_xattr(const char *name) +static int smack_inode_copy_up_xattr(struct dentry *src, const char *name) { /* * Return 1 if this is the smack access Smack attribute.