From patchwork Tue Jan 30 21:46:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 194334 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:2087:b0:106:209c:c626 with SMTP id gs7csp1513618dyb; Tue, 30 Jan 2024 13:48:22 -0800 (PST) X-Google-Smtp-Source: AGHT+IHx6oD15HKLP3QscGif3O5InoMDPHcTi3CUvd7oa+YJPaYLOv1AixhUE5xGnWuacs67Sl1I X-Received: by 2002:a05:6808:1183:b0:3be:2fbf:4509 with SMTP id j3-20020a056808118300b003be2fbf4509mr566411oil.36.1706651302037; Tue, 30 Jan 2024 13:48:22 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706651302; cv=pass; d=google.com; s=arc-20160816; b=M352meH81s4CUyFxsowFtlPoerXtn03qvsue1DqLMOt4WgwreCuw1OqppqXcQpoGyV Cu2G5EODI1YcsDa1Zw/wlso8sByyMmj9salBG0zMaj/22bgWrdleJnIiTvtGY5EIb0vX CeWV5sRyN9CS2tPxLU/DvaNTa+SXTXwIIyaGZwufDOJ66ea420j7fqOzwv2PRKiVNDVy RmypcVRPgrNgd3/q/7s8OgLWOFvEi4Tf1hicG+aPjZObsFDPNXAFidH6zzVTkLYJ6xLl CoFhFkc7OYNsobXy5gX4rgiekea3tYAsdwU8dH2HTmCskjGii6ab6p8vsA9oE2a+i7ma ZjVg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=ziVlO+dnOtCXjBz/gV1l3+dnf+oYvewAs/EKyz4Wv3U=; fh=ncez+Zuks3r0u/GH7GwMN7W85FP2C9GgAvOVpsEx2iM=; b=API6kgqOJPLFoZ1UDkntn6G1XB5YYGTc5Thmyz7mRPVFi2TfnSjdwQvUlRsDaobH+M 3bx12e58X6Zz9Diz4CmUWfYGliRcgdQGfZBiH80IRXtt5UYFTtw/SLQFQcgCbFBOI1Xo /00I+V2zh2JBgB2SGH++4f0bmdP18/k3DNjzN/83FLyY0jmIQEkta1faxJhbQy4WtgMX qb3NMMxPnELIx8ZY14qIS2Hw94UWtpCHOwPFhREfNjV9Qo/BVpm4Fuj1wMAU4IWE0MA1 3XX+QH+8XmmKvhhi29NQWX56hRePWMqcxzPFhmZ4iQ/bY0udK+KHvnWpnr8tOkLq2JIs ItQw== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=WS5ir9TD; arc=pass (i=1 spf=pass spfdomain=linux.ibm.com dkim=pass dkdomain=ibm.com dmarc=pass fromdomain=linux.ibm.com); spf=pass (google.com: domain of linux-kernel+bounces-45347-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45347-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id v11-20020ac8578b000000b0042be0e48c71si1293254qta.491.2024.01.30.13.48.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 13:48:22 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-45347-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=WS5ir9TD; arc=pass (i=1 spf=pass spfdomain=linux.ibm.com dkim=pass dkdomain=ibm.com dmarc=pass fromdomain=linux.ibm.com); spf=pass (google.com: domain of linux-kernel+bounces-45347-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45347-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id BF18A1C20A80 for ; Tue, 30 Jan 2024 21:48:21 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 5938C78688; Tue, 30 Jan 2024 21:47:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="WS5ir9TD" Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8168678B64; Tue, 30 Jan 2024 21:46:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=148.163.158.5 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706651215; cv=none; b=Z6AJwCmrOU//8FXYgR0cDLBgeJimaXvM5gI5ZMckog97a2fShbAdaxpX0hgiLyV70b50ixJSlSz6qirSTQtZkdBRI5OYCpssAJPL5DvzfJyMhq/rKQcHTOtWuS6LJVYlJhygRJSS4UyR/tNY2QAhekRCsAXtnx7xnQReC7FfXDw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706651215; c=relaxed/simple; bh=HLpwlFI69iotr1hPLjzeM18DSEwoMiQ2mxy0WSHuluk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sSSc//Qxav5UUM8AMk1dZo4bzKrm3JnyZz14VM6ImH8F0UiIGTo7oGDyVpfm46qBGZGsj2mXQ3MZKq4LhlcVUhLQ4L0LkByDOazI1Hr0eEGhbksjDjCToxxcRDkJknopWWqzbB4xrKyDVeVWIW7NRic7552O69clYKjdDD9tyAY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com; spf=pass smtp.mailfrom=linux.ibm.com; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b=WS5ir9TD; arc=none smtp.client-ip=148.163.158.5 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.ibm.com Received: from pps.filterd (m0353722.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 40ULXLnV012708; Tue, 30 Jan 2024 21:46:30 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=ziVlO+dnOtCXjBz/gV1l3+dnf+oYvewAs/EKyz4Wv3U=; b=WS5ir9TDTufmdS/1nR6z0UqzkzV2HvUV7VdRfk+owYB4AYGM1QUAbQU/U0sPpTuO55Mf kvd9JSVxSvcXN0ZQBmxjDNPxZyEWJBijj/lP0eLMetEJc3+oBV9QcmRNN15cAf4WkKw8 QtwjFrg00OTUTCNG+6QZ9ZXXxO4vfZCAdRR6wphyb7lZqHaAdDm+VhWSeXYVWzrcDM5s z81aPQsQaa8vHWGMupHigaImSMh2TFtqN3YMyLGgoeo4w7xUr54rsFEdvoEfIa6A17FG UjGGG8E2x8DVoP7wh6dW0VXmr7+BQAMfb/X6ZW10jcfNWyj5x4U0yb5j/Nru5Gw7Srhu tg== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3vy94n07kj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 30 Jan 2024 21:46:30 +0000 Received: from m0353722.ppops.net (m0353722.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 40ULYcX2015260; Tue, 30 Jan 2024 21:46:29 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3vy94n07k1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 30 Jan 2024 21:46:29 +0000 Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 40UJ86Jm010564; Tue, 30 Jan 2024 21:46:28 GMT Received: from smtprelay07.dal12v.mail.ibm.com ([172.16.1.9]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 3vwd5nsf5r-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 30 Jan 2024 21:46:28 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 40ULkS3p31326538 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 30 Jan 2024 21:46:28 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E816558056; Tue, 30 Jan 2024 21:46:27 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4BF5E58052; Tue, 30 Jan 2024 21:46:27 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Tue, 30 Jan 2024 21:46:27 +0000 (GMT) From: Stefan Berger To: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-unionfs@vger.kernel.org Cc: linux-kernel@vger.kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, amir73il@gmail.com, miklos@szeredi.hu, Stefan Berger Subject: [PATCH 1/5] security: allow finer granularity in permitting copy-up of security xattrs Date: Tue, 30 Jan 2024 16:46:16 -0500 Message-ID: <20240130214620.3155380-2-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240130214620.3155380-1-stefanb@linux.ibm.com> References: <20240130214620.3155380-1-stefanb@linux.ibm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: nsNshzt1SCogKEXlGy533T4CUsAVBwI3 X-Proofpoint-ORIG-GUID: YWDCNKq7p8-nPtFrvnuRxTAM3vP-0P-x X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-01-30_12,2024-01-30_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=562 impostorscore=0 phishscore=0 adultscore=0 clxscore=1015 lowpriorityscore=0 bulkscore=0 spamscore=0 malwarescore=0 priorityscore=1501 suspectscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2311290000 definitions=main-2401300162 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1789553595996965729 X-GMAIL-MSGID: 1789553595996965729 Copying up xattrs is solely based on the security xattr name. For finer granularity add a dentry parameter to the security_inode_copy_up_xattr hook definition, allowing decisions to be based on the xattr content as well. Signed-off-by: Stefan Berger --- fs/overlayfs/copy_up.c | 2 +- include/linux/evm.h | 2 +- include/linux/lsm_hook_defs.h | 3 ++- include/linux/security.h | 4 ++-- security/integrity/evm/evm_main.c | 2 +- security/security.c | 7 ++++--- security/selinux/hooks.c | 2 +- security/smack/smack_lsm.c | 2 +- 8 files changed, 13 insertions(+), 11 deletions(-) diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c index b8e25ca51016..bd9ddcefb7a7 100644 --- a/fs/overlayfs/copy_up.c +++ b/fs/overlayfs/copy_up.c @@ -114,7 +114,7 @@ int ovl_copy_xattr(struct super_block *sb, const struct path *oldpath, struct de if (ovl_is_private_xattr(sb, name)) continue; - error = security_inode_copy_up_xattr(name); + error = security_inode_copy_up_xattr(old, name); if (error < 0 && error != -EOPNOTSUPP) break; if (error == 1) { diff --git a/include/linux/evm.h b/include/linux/evm.h index 36ec884320d9..d8c0343436b8 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -31,7 +31,7 @@ extern void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, size_t xattr_value_len); -extern int evm_inode_copy_up_xattr(const char *name); +extern int evm_inode_copy_up_xattr(struct dentry *dentry, const char *name); extern int evm_inode_removexattr(struct mnt_idmap *idmap, struct dentry *dentry, const char *xattr_name); extern void evm_inode_post_removexattr(struct dentry *dentry, diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 185924c56378..7dd61f51d84a 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -163,7 +163,8 @@ LSM_HOOK(int, 0, inode_listsecurity, struct inode *inode, char *buffer, size_t buffer_size) LSM_HOOK(void, LSM_RET_VOID, inode_getsecid, struct inode *inode, u32 *secid) LSM_HOOK(int, 0, inode_copy_up, struct dentry *src, struct cred **new) -LSM_HOOK(int, -EOPNOTSUPP, inode_copy_up_xattr, const char *name) +LSM_HOOK(int, -EOPNOTSUPP, inode_copy_up_xattr, struct dentry *src, + const char *name) LSM_HOOK(int, 0, kernfs_init_security, struct kernfs_node *kn_dir, struct kernfs_node *kn) LSM_HOOK(int, 0, file_permission, struct file *file, int mask) diff --git a/include/linux/security.h b/include/linux/security.h index d0eb20f90b26..9fc9ca6284d6 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -387,7 +387,7 @@ int security_inode_setsecurity(struct inode *inode, const char *name, const void int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); void security_inode_getsecid(struct inode *inode, u32 *secid); int security_inode_copy_up(struct dentry *src, struct cred **new); -int security_inode_copy_up_xattr(const char *name); +int security_inode_copy_up_xattr(struct dentry *src, const char *name); int security_kernfs_init_security(struct kernfs_node *kn_dir, struct kernfs_node *kn); int security_file_permission(struct file *file, int mask); @@ -980,7 +980,7 @@ static inline int security_kernfs_init_security(struct kernfs_node *kn_dir, return 0; } -static inline int security_inode_copy_up_xattr(const char *name) +static inline int security_inode_copy_up_xattr(struct dentry *src, const char *name) { return -EOPNOTSUPP; } diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index cc7956d7878b..2555aa4501ae 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -896,7 +896,7 @@ void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) evm_update_evmxattr(dentry, NULL, NULL, 0); } -int evm_inode_copy_up_xattr(const char *name) +int evm_inode_copy_up_xattr(struct dentry *src, const char *name) { if (strcmp(name, XATTR_NAME_EVM) == 0) return 1; /* Discard */ diff --git a/security/security.c b/security/security.c index 0144a98d3712..ee63863c1dc0 100644 --- a/security/security.c +++ b/security/security.c @@ -2596,6 +2596,7 @@ EXPORT_SYMBOL(security_inode_copy_up); /** * security_inode_copy_up_xattr() - Filter xattrs in an overlayfs copy-up op + * @src: union dentry of copy-up file * @name: xattr name * * Filter the xattrs being copied up when a unioned file is copied up from a @@ -2606,7 +2607,7 @@ EXPORT_SYMBOL(security_inode_copy_up); * if the security module does not know about attribute, or a negative * error code to abort the copy up. */ -int security_inode_copy_up_xattr(const char *name) +int security_inode_copy_up_xattr(struct dentry *src, const char *name) { struct security_hook_list *hp; int rc; @@ -2618,12 +2619,12 @@ int security_inode_copy_up_xattr(const char *name) */ hlist_for_each_entry(hp, &security_hook_heads.inode_copy_up_xattr, list) { - rc = hp->hook.inode_copy_up_xattr(name); + rc = hp->hook.inode_copy_up_xattr(src, name); if (rc != LSM_RET_DEFAULT(inode_copy_up_xattr)) return rc; } - return evm_inode_copy_up_xattr(name); + return evm_inode_copy_up_xattr(src, name); } EXPORT_SYMBOL(security_inode_copy_up_xattr); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a6bf90ace84c..ebb8876837c6 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3530,7 +3530,7 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new) return 0; } -static int selinux_inode_copy_up_xattr(const char *name) +static int selinux_inode_copy_up_xattr(struct dentry *dentry, const char *name) { /* The copy_up hook above sets the initial context on an inode, but we * don't then want to overwrite it by blindly copying all the lower diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 0fdbf04cc258..bffca165f07f 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4873,7 +4873,7 @@ static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) return 0; } -static int smack_inode_copy_up_xattr(const char *name) +static int smack_inode_copy_up_xattr(struct dentry *src, const char *name) { /* * Return 1 if this is the smack access Smack attribute. From patchwork Tue Jan 30 21:46:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 194333 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:2087:b0:106:209c:c626 with SMTP id gs7csp1513611dyb; Tue, 30 Jan 2024 13:48:20 -0800 (PST) X-Google-Smtp-Source: AGHT+IEa6bT/4167JKVVL/QePGPXdr06/vVcvBLn6nud4dWtGYHmHkm/Cy7opeV0L03hz5fgYJtM X-Received: by 2002:a17:903:947:b0:1d8:ec96:ad43 with SMTP id ma7-20020a170903094700b001d8ec96ad43mr5957728plb.12.1706651300602; Tue, 30 Jan 2024 13:48:20 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706651300; cv=pass; d=google.com; s=arc-20160816; b=K8+pBYI0WYfpYqz/oGKqTGlLl871288WY3NqEPKR1auk3iJk4ufJv/VErVin9zkGs/ 2YPma5rjWF/R6oRhYMot/mEdCFUfvVCcZgnXpVMZS2mvhzlqUt3Qq25KrCrDN7wnohFF TwCuyhR5DoJTUmPOfZ528iptgdebFutgkuWNrhLNrsnYeT7oodQiUoxrkVKFhEGmYcAI Cv4evWqgWEbp00dIBarMRruGtvQFp6+DPxywv9jKGQdRgjI2+8dCa67eQLZjpAn2seRR 7eGZGBTsPeuMLxjV4LmTQIq78aAxAJgNTJGrAIVht2DicwTYW6QYgv7nBjhCuZL9k6pF ezkA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=Vng+snvAnhV7hqMmeOgbU4LTAwnF0GrXQskYulFXNnE=; fh=ncez+Zuks3r0u/GH7GwMN7W85FP2C9GgAvOVpsEx2iM=; b=GNTGDWaAHZVWwqWG71ZRH/K43NF/6bdfVuWl1qxlpE7u879IN4ryVeiJ/mkkHnh9cT EViSHoxmRNDuvtrZvLX4bxPbBc7ttpim3SSeUvjB4qYA5YBm8hoOgn7G1CgMGz7HWx1b vzhfE9E/4pWpBcQFRVUs+lIgGTPKfuAXAPBNzkJjOk/UjmtTkfcsOgOnF1eiJN5xiIDo Y4pHbdCJGMBrvR1ndVjVOANfOVP264C+r4GY7I6VogRkiT8Nha4FrOUomPhykuWcERfm EmOSq36gszYgkL3z49ANj/rheZfQGQre8JoPVl+WLtM9LOd92NZlzfQu8wY3aoAS9qw8 EJjA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=ZzZ7FQbz; arc=pass (i=1 spf=pass spfdomain=linux.ibm.com dkim=pass dkdomain=ibm.com dmarc=pass fromdomain=linux.ibm.com); spf=pass (google.com: domain of linux-kernel+bounces-45343-ouuuleilei=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45343-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id 19-20020a170902ee5300b001d745150080si6755plo.233.2024.01.30.13.48.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 13:48:20 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-45343-ouuuleilei=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=ZzZ7FQbz; arc=pass (i=1 spf=pass spfdomain=linux.ibm.com dkim=pass dkdomain=ibm.com dmarc=pass fromdomain=linux.ibm.com); spf=pass (google.com: domain of linux-kernel+bounces-45343-ouuuleilei=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45343-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 81DE0287D7F for ; Tue, 30 Jan 2024 21:47:53 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0FA59157E61; Tue, 30 Jan 2024 21:46:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="ZzZ7FQbz" Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5677A78B4C; Tue, 30 Jan 2024 21:46:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=148.163.156.1 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706651214; cv=none; b=jO43fD1HHNZ487JtM8DWrxLgYhaPATQ8rsDiPyPIuxNj2E2mGzbeCs/z87jHzWTwN5SCJqYN0ug304OHtCL91OknbM+HcQ3K1/O8uvI2ykRlWuvnwQopTro6ml62Gm3Hggbeiwp2oBQ1WSC4ayGNSOMv+A+0tEYbf9iFQ3Os3NI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706651214; c=relaxed/simple; bh=gJ3vl1IMfF3fP9qTiQ9UtT+9SZi41uTtAGlG8gJxc6Q=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=mhsNruz7XGrVs/8Ts3oMdBjXsrLImmz9ZWSYnm6ZHlIXcuO0cAXu74KZPwB0paJJYdfeonfAF8kQxNT2/HNLoUzzIHI1x9XqguKKqT8UgQXbYl04+gyAR8SKXgt1a2XtTkLAGDLCeVC90PqRqMmAmg746k7bthiV7Lm9u03sSus= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com; spf=pass smtp.mailfrom=linux.ibm.com; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b=ZzZ7FQbz; arc=none smtp.client-ip=148.163.156.1 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.ibm.com Received: from pps.filterd (m0353726.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 40ULbLcR019603; Tue, 30 Jan 2024 21:46:31 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=Vng+snvAnhV7hqMmeOgbU4LTAwnF0GrXQskYulFXNnE=; b=ZzZ7FQbzOhja6zbFvKJ0EBgfbq469wHxmV1iTPt61iEgdb0U/Gr1Fj54XV7pAyyOyJiH b/KWU59VIWAZXlsp9jttZhw+c+WBW1YTAAJYanN/5+7GTibaGJDb+n8OpsFBvjVDsEfX dznYrmBiag6YJGTr8RwimvcYFGC2pHMIHzMHbVVUentb1amBOZDefogRd2VvdanAT3YL SVIrdn3xyq+O7/nsDthDr/+XqzUlOyceQg7gm/Joay6O3PUcPpNor9TePWuG5URBK31m Sa068Bch4IoT+FQNHoy7QvlZui7PcMbIB39QDtC1xsr3rqzq102iVXArVTORyC3OzFoo KA== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3vy96br52u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 30 Jan 2024 21:46:31 +0000 Received: from m0353726.ppops.net (m0353726.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 40ULbNmK019715; Tue, 30 Jan 2024 21:46:31 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3vy96br52c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 30 Jan 2024 21:46:30 +0000 Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 40UJ5Z5i017797; Tue, 30 Jan 2024 21:46:29 GMT Received: from smtprelay07.dal12v.mail.ibm.com ([172.16.1.9]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 3vwchysnhm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 30 Jan 2024 21:46:29 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 40ULkSHJ30474592 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 30 Jan 2024 21:46:28 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A6BA858056; Tue, 30 Jan 2024 21:46:28 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0B59B58052; Tue, 30 Jan 2024 21:46:28 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Tue, 30 Jan 2024 21:46:27 +0000 (GMT) From: Stefan Berger To: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-unionfs@vger.kernel.org Cc: linux-kernel@vger.kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, amir73il@gmail.com, miklos@szeredi.hu, Stefan Berger Subject: [PATCH 2/5] evm: Implement per signature type decision in security_inode_copy_up_xattr Date: Tue, 30 Jan 2024 16:46:17 -0500 Message-ID: <20240130214620.3155380-3-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240130214620.3155380-1-stefanb@linux.ibm.com> References: <20240130214620.3155380-1-stefanb@linux.ibm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: _mfZnCnWYIgcuKRY0iZ_eUnB6EujrXHj X-Proofpoint-GUID: CII-6DtfoAnrJ5hyDHJLv2dibe1LllOa X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-01-30_12,2024-01-30_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 malwarescore=0 mlxscore=0 spamscore=0 priorityscore=1501 clxscore=1015 suspectscore=0 adultscore=0 mlxlogscore=858 bulkscore=0 impostorscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2311290000 definitions=main-2401300163 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1789553594187492104 X-GMAIL-MSGID: 1789553594187492104 To support portable and immutable signatures on otherwise unsupported filesystems, determine the EVM signature type by the content of a file's xattr. If the file has the appropriate signature then allow it to be copied up. All other signature types are discarded as before. Portable and immutable EVM signatures can be copied up by stacked file- system since the metadata their signature covers does not include file- system-specific data such as a file's inode number, generation, and UUID. Signed-off-by: Stefan Berger --- security/integrity/evm/evm_main.c | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 2555aa4501ae..22a5e26860ea 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -898,9 +898,30 @@ void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) int evm_inode_copy_up_xattr(struct dentry *src, const char *name) { - if (strcmp(name, XATTR_NAME_EVM) == 0) - return 1; /* Discard */ - return -EOPNOTSUPP; + struct evm_ima_xattr_data *xattr_data = NULL; + int rc; + + if (strcmp(name, XATTR_NAME_EVM) != 0) + return -EOPNOTSUPP; + + /* first need to know the sig type */ + rc = vfs_getxattr_alloc(&nop_mnt_idmap, src, XATTR_NAME_EVM, + (char **)&xattr_data, 0, GFP_NOFS); + if (rc <= 0) + return -EPERM; + + switch (xattr_data->type) { + case EVM_XATTR_PORTABLE_DIGSIG: + rc = 0; /* allow copy-up */ + break; + case EVM_XATTR_HMAC: + case EVM_IMA_XATTR_DIGSIG: + default: + rc = 1; /* discard */ + } + + kfree(xattr_data); + return rc; } /* From patchwork Tue Jan 30 21:46:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 194331 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:2087:b0:106:209c:c626 with SMTP id gs7csp1513441dyb; Tue, 30 Jan 2024 13:47:57 -0800 (PST) X-Google-Smtp-Source: AGHT+IG7m/pFUF0XlngHpQXF7tlmKBJG0ZFbsqTbjyyNkrYLZE8nPMPjak1n+oN6TDXuNfCFI0xw X-Received: by 2002:ad4:5ba3:0:b0:68c:60d6:a937 with SMTP id 3-20020ad45ba3000000b0068c60d6a937mr2905812qvq.36.1706651277318; Tue, 30 Jan 2024 13:47:57 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706651277; cv=pass; d=google.com; s=arc-20160816; b=Y2uxLxtIcOPy6AcqY0xICL82L+2mAXbxAnx5Ac7XWDuqhPkvzUEGQZFXmNVXm/n3cb DrxUXAI63fC+Iu/l9Ix5GU6M/bNMtqGjBE89kvWrTJjOcXjXq+jf35jxgV9XTDR3yPR0 wvxPHH8mfq+523tXfiFyeruT1iyAyrQJBqHXR8FTq+7PFecjTjYNNVxgYaxrO9V/M0lU /fuZm7XMYOcMUrCsBqkdGbtNURUBeQ3Wf//WWzMHOt0Ou0MzoPPlvhp46MewQuutSXDq si8vJpCBslSoSyHOyFnHtVIr1YHrJe0gwETSXeBzU8xMBd2NVtU+9Ez/8Lt6EOoBfx7h Z+PA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=mAlx22Ahv7RnWALJi16RhDsHycOIjE8NeYAg7sZHGGw=; fh=ncez+Zuks3r0u/GH7GwMN7W85FP2C9GgAvOVpsEx2iM=; b=ueygRAVX1Xg2bIYGzlqobuU2S9UYg27w5aiJgnW3RyPrrufOpCqoEjxn0fuRHWjMZO y7jla5iuFfP44AvIqyvWpP3q4dyO4X0nbO8593OQBCrnjoRtKfY4JXqF1Poe5Dw1e5d6 wBBqEdPcBA9rc98St69IPX0NEHosgI2uxUixzNcq+ruRe9wyRi8sEnbtuMdd4t2zPpq5 XdlwH3T7tj2ZocQoSV9G1YkxBw/sk2f+OxtC77rGr5qYST+kYrup44riq17Hz7J7Xnjj ht11KN5VC+gb9pkwz8e0n96VTGSLoCGi+CHsFQxnE5H34dgloenlqMoTnmBduKgDXazZ f7TA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=p588R8yj; arc=pass (i=1 spf=pass spfdomain=linux.ibm.com dkim=pass dkdomain=ibm.com dmarc=pass fromdomain=linux.ibm.com); spf=pass (google.com: domain of linux-kernel+bounces-45344-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45344-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id x9-20020a05620a0b4900b007832941b17csi10711806qkg.173.2024.01.30.13.47.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 13:47:57 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-45344-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=p588R8yj; arc=pass (i=1 spf=pass spfdomain=linux.ibm.com dkim=pass dkdomain=ibm.com dmarc=pass fromdomain=linux.ibm.com); spf=pass (google.com: domain of linux-kernel+bounces-45344-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45344-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id D1FD11C2267C for ; Tue, 30 Jan 2024 21:47:56 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 441461586FF; Tue, 30 Jan 2024 21:46:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="p588R8yj" Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7FE3678B63; Tue, 30 Jan 2024 21:46:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=148.163.156.1 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706651214; cv=none; b=kSfci2l9DbQn9PQUEqHgw2bhee7TjffKAeoKqu2RRGYSxCQeqKLH8Wg4mygn/fue+p7VvFsIpuO8OAwE5lDeiJTk5LaiNfIRj5hmCAQn+WOfuFbyQExe36HhuQESisteyoki9nEx/E+1al6OS9VzfSmttXgLWQMVlZSFFsaUuwU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706651214; c=relaxed/simple; bh=g3XohpEx+AqEZl5s7sOl5bPcV3dAbvI8Q4t0hJNfxO4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=G9FR7a2jEnhM4u+BvXgS820JXjhHcHua1OdrpdaeMBwYDUq5BBrXjdzKvNg5UmLHOpJl67OsbA97Bw5U/J/5TI9dJU4wIleyd/OZ9OPLGlGTvAg7TxIpiEEsToTnQ8ZamD7effz5APDP4DmitnOWCGTqlrDbUyzg+5Re2DN5bds= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com; spf=pass smtp.mailfrom=linux.ibm.com; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b=p588R8yj; arc=none smtp.client-ip=148.163.156.1 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.ibm.com Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 40ULVFM9009379; Tue, 30 Jan 2024 21:46:33 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=mAlx22Ahv7RnWALJi16RhDsHycOIjE8NeYAg7sZHGGw=; b=p588R8yjSQHvf3whFXlEXFe+TQwM1SCEnBATmv4XPny7BM+i6lYbdxlaCmkclOn2mHQG FPAK0l84E5ERWrdU1/5rjp3urrBNA6HKkqjnjCaR/jgNYermSIBolbQ+hT1J7htihRHf Yxi5K5a5aTIwzobQ3830Jm1LIECkct53eomRhvLHEcoZK6MpJD9GDZR9vYYcDNtDjshF t0nJqx1hdpzDVCFcqfLPkyFWJ93ecp1DkLLE1lpIX7x1xU1Nj+xH+9NRoA82hUYGCPZE S/+dASKYHWkv1Wz+HpnZacYGNxltkDKZII2h1/XkiqiRearIpa8ewCkGrsSLZDrP4+wJ Wg== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3vy8ews1p7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 30 Jan 2024 21:46:33 +0000 Received: from m0353729.ppops.net (m0353729.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 40ULkWhO020764; Tue, 30 Jan 2024 21:46:32 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3vy8ews1ne-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 30 Jan 2024 21:46:32 +0000 Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 40UJNwwC010535; Tue, 30 Jan 2024 21:46:30 GMT Received: from smtprelay01.wdc07v.mail.ibm.com ([172.16.1.68]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 3vwd5nsf60-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 30 Jan 2024 21:46:30 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay01.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 40ULkTtL57016818 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 30 Jan 2024 21:46:29 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6682A58056; Tue, 30 Jan 2024 21:46:29 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BDE8F58052; Tue, 30 Jan 2024 21:46:28 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Tue, 30 Jan 2024 21:46:28 +0000 (GMT) From: Stefan Berger To: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-unionfs@vger.kernel.org Cc: linux-kernel@vger.kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, amir73il@gmail.com, miklos@szeredi.hu, Stefan Berger Subject: [PATCH 3/5] ima: Reset EVM status upon detecting changes to overlay backing file Date: Tue, 30 Jan 2024 16:46:18 -0500 Message-ID: <20240130214620.3155380-4-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240130214620.3155380-1-stefanb@linux.ibm.com> References: <20240130214620.3155380-1-stefanb@linux.ibm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: hSY_ubgPqweHLnnU1uF16aBWXdxnw9Jz X-Proofpoint-ORIG-GUID: t4eLxYBI81pwHaLkFRofusXABLnLq-sn X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-01-30_12,2024-01-30_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 bulkscore=0 mlxscore=0 mlxlogscore=615 lowpriorityscore=0 priorityscore=1501 adultscore=0 spamscore=0 impostorscore=0 suspectscore=0 clxscore=1015 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2311290000 definitions=main-2401300163 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1789553569708840422 X-GMAIL-MSGID: 1789553569708840422 To avoid caching effects to take effect reset the EVM status upon detecting changes to the overlay backing files. This prevents a not-yet- copied-up file on the overlay from executing if for example the security.evm xattr on the file on the 'lower' layer has been removed. Signed-off-by: Stefan Berger --- include/linux/evm.h | 8 ++++++++ security/integrity/evm/evm_main.c | 7 +++++++ security/integrity/ima/ima_main.c | 2 ++ 3 files changed, 17 insertions(+) diff --git a/include/linux/evm.h b/include/linux/evm.h index d8c0343436b8..e7d6742eee9d 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -66,6 +66,8 @@ extern int evm_protected_xattr_if_enabled(const char *req_xattr_name); extern int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer, int buffer_size, char type, bool canonical_fmt); +extern void evm_reset_cache_status(struct dentry *dentry, + struct integrity_iint_cache *iint); #ifdef CONFIG_FS_POSIX_ACL extern int posix_xattr_acl(const char *xattrname); #else @@ -189,5 +191,11 @@ static inline int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer, return -EOPNOTSUPP; } +static inline void evm_reset_cache_status(struct dentry *dentry, + struct integrity_iint_cache *iint) +{ + return; +} + #endif /* CONFIG_EVM */ #endif /* LINUX_EVM_H */ diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 22a5e26860ea..e96d127b48a2 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -721,6 +721,13 @@ static void evm_reset_status(struct inode *inode) iint->evm_status = INTEGRITY_UNKNOWN; } +void evm_reset_cache_status(struct dentry *dentry, + struct integrity_iint_cache *iint) +{ + if (d_real_inode(dentry) != d_backing_inode(dentry)) + iint->evm_status = INTEGRITY_UNKNOWN; +} + /** * evm_revalidate_status - report whether EVM status re-validation is necessary * @xattr_name: pointer to the affected extended attribute name diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index cc1217ac2c6f..84bdc6e58329 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -26,6 +26,7 @@ #include #include #include +#include #include "ima.h" @@ -295,6 +296,7 @@ static int process_measurement(struct file *file, const struct cred *cred, !inode_eq_iversion(backing_inode, iint->version)) { iint->flags &= ~IMA_DONE_MASK; iint->measured_pcrs = 0; + evm_reset_cache_status(file_dentry(file), iint); } } From patchwork Tue Jan 30 21:46:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 194332 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:2087:b0:106:209c:c626 with SMTP id gs7csp1513458dyb; Tue, 30 Jan 2024 13:48:00 -0800 (PST) X-Google-Smtp-Source: AGHT+IFO/MWPkuttIcUMknsSCGMtd8QU8RTnFLy9wq2ZKhSM2NQixTjWTb67vi+UvGacZ3Aytzl1 X-Received: by 2002:a05:622a:184:b0:42a:9d03:1c1d with SMTP id s4-20020a05622a018400b0042a9d031c1dmr7560030qtw.63.1706651279835; Tue, 30 Jan 2024 13:47:59 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706651279; cv=pass; d=google.com; s=arc-20160816; b=QGl6/rnR2Cf+YAPGhk2DnHdz5oZdCykWSWehmjbjeaSLixDzU2P8wgbURyI1bWfo+j YEkBWyBxN2bZNeYZ9poF3PGQpnqchlSAbSbaNfYTl/nvLMq7urU7es3XqR4jNMHeyz4b V5a8wN9luF9nU4YIJctIlG8Rj818or+etyrZgPgeYfWEk549C9Jt9E7lAaeQSPoMgZ/l y/maGjlATmva6414Pi4Uvt+uC21Mga6ZpfDZiZTrSWcYA9S76TKnMxos2X2aXNy3QwZW LinjH2399BQm/QzV6JTsXM2WE3htins13o3MUiIsZEdrcgIi4WM3EU+tzBE0rz6WCzwc AxQA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=BP5fUK230w16aaAM9wCPXmpVSGviN/8Ei3dtKX9GF/U=; fh=ncez+Zuks3r0u/GH7GwMN7W85FP2C9GgAvOVpsEx2iM=; b=R4Nh7aStAQ5brrDQftdEz7xSyIbJDn8qgagZ3x2IYVmGtYzNmcjra4D1XQ1e82uxPf YAehgUKD+C9ViRrpZEThRV+eK01z8n9/YijyC3VlmcQKYHGRtRbC3Tpk0thMs0jRfn8M R0hLTvajTkvo1/te35IufZhkEI3ArRNZ2Rk/HhkwngiSFujT+hUu/Fcn+Ru1effdqrQz sHmocqgIqEP3PiNdNzveMgm3WKh2k8Xot4EbLlQ5Rm4IPeQnqMHbYYSS5phGvS9fE/p/ wLQnLZUVgGTnYHkVlf9439+gdYTlG3tzw5MmpXsakh/LcugcFFQ7lTzGnf46HCjMJdFc ESyA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=ecdLKN4K; arc=pass (i=1 spf=pass spfdomain=linux.ibm.com dkim=pass dkdomain=ibm.com dmarc=pass fromdomain=linux.ibm.com); spf=pass (google.com: domain of linux-kernel+bounces-45345-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45345-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id jv23-20020a05622aa09700b0042a8c12730fsi7931956qtb.89.2024.01.30.13.47.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 13:47:59 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-45345-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=ecdLKN4K; arc=pass (i=1 spf=pass spfdomain=linux.ibm.com dkim=pass dkdomain=ibm.com dmarc=pass fromdomain=linux.ibm.com); spf=pass (google.com: domain of linux-kernel+bounces-45345-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45345-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 9F1131C238E8 for ; Tue, 30 Jan 2024 21:47:59 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 6C15978663; Tue, 30 Jan 2024 21:46:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="ecdLKN4K" Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C6F9B78B68; Tue, 30 Jan 2024 21:46:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=148.163.156.1 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706651214; cv=none; b=IZfwYGdWFXHzy2vlAKNEZmvZcUuFNwA1SEHvUIJOcf6lkAz9g/NS5AfKQvf1hZ2WRiTgllgDhRTceNIYuafNUKDwVF9gfzq/QZWNnnWCiUumJETbXuhVx08FmXzJwzGI6aYFXfrNfDD76iY1CVfUa95qbEOVOrpDgNOE4mO5d8U= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706651214; c=relaxed/simple; bh=1Mf3wyu6a17R4DYnsbGVDf+ocPp2KC6e1ASfr1NJ06s=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=pdafZrzcmc6mJp34KDVDpZHWf/hQmtG7/M5wN6cZtDE6849+HfXg04qCy0TGZ0pOyHfc4w7JgeCxzAakxYzPSr76VFGJjF2wrhyOMGKc04vSx2HpPs32JCBJacAi8T2BQ70yxAz2R5YQprYHXbNf7wQSBAjk2KqyHokwGaLFdSU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com; spf=pass smtp.mailfrom=linux.ibm.com; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b=ecdLKN4K; arc=none smtp.client-ip=148.163.156.1 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.ibm.com Received: from pps.filterd (m0353726.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 40ULbNFx019671; Tue, 30 Jan 2024 21:46:33 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=BP5fUK230w16aaAM9wCPXmpVSGviN/8Ei3dtKX9GF/U=; b=ecdLKN4KFm1+vzBc03WbzQOFXLe6UPt46fJ+NZ33iZLXSibNHtNSZd2/AHc+JrxlhRNk LBsEDt4N9omGj5LTqo8u47++2OiW55IARQnCu+3v2iBAARJ1WxcHs0EC+ptTdTLc+int y7swpLK/9/8oebssR3A+fe65k99S/eTa59NfkVkU1tsA097eK8YScIiW8LPbp6iMsr7a MkAbgDQL29+7yV/26g4z6aDyXjbAWbyohb4dsclvwPzwkhc77mTRcathqu+ivzfuVN87 yOzaTap3D2hlzUyTlq8by8q1/BlgcsXm1v63vNQl7T+ON6NnC0ajuJ1UJxiYgKyynLXT Ww== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3vy96br53d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 30 Jan 2024 21:46:33 +0000 Received: from m0353726.ppops.net (m0353726.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 40ULbUew019804; Tue, 30 Jan 2024 21:46:32 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3vy96br536-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 30 Jan 2024 21:46:32 +0000 Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 40UKMsFY007179; Tue, 30 Jan 2024 21:46:31 GMT Received: from smtprelay02.wdc07v.mail.ibm.com ([172.16.1.69]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 3vwev291rs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 30 Jan 2024 21:46:31 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay02.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 40ULkU3Z22610580 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 30 Jan 2024 21:46:30 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2549F5805D; Tue, 30 Jan 2024 21:46:30 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7D8E858052; Tue, 30 Jan 2024 21:46:29 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Tue, 30 Jan 2024 21:46:29 +0000 (GMT) From: Stefan Berger To: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-unionfs@vger.kernel.org Cc: linux-kernel@vger.kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, amir73il@gmail.com, miklos@szeredi.hu, Stefan Berger Subject: [PATCH 4/5] evm: Use the real inode's metadata to calculate metadata hash Date: Tue, 30 Jan 2024 16:46:19 -0500 Message-ID: <20240130214620.3155380-5-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240130214620.3155380-1-stefanb@linux.ibm.com> References: <20240130214620.3155380-1-stefanb@linux.ibm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 7YY7tYmObqCtrkaZ9b0L-3LVS_G6t8iH X-Proofpoint-GUID: k5R9ARI-UMjDdKRyjwX9gPNVBKEXQua2 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-01-30_12,2024-01-30_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 malwarescore=0 mlxscore=0 spamscore=0 priorityscore=1501 clxscore=1015 suspectscore=0 adultscore=0 mlxlogscore=999 bulkscore=0 impostorscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2311290000 definitions=main-2401300163 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1789553571956640600 X-GMAIL-MSGID: 1789553571956640600 Changes to the file attribute (mode bits, uid, gid) on the lower layer are not take into account when d_backing_inode() is used when a file is accessed on the overlay layer and this file has not yet been copied up. This is because d_backing_inode() does not return the real inode of the lower layer but instead returns the backing inode which holds old file attributes. When the old file attributes are used for calculating the metadata hash then the expected hash is calculated and the file then mistakenly passes signature verification. Therefore, use d_real_inode() which returns the inode of the lower layer for as long as the file has not been copied up and returns the upper layer's inode otherwise. Signed-off-by: Stefan Berger --- security/integrity/evm/evm_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c index b1ffd4cc0b44..2e48fe54e899 100644 --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c @@ -223,7 +223,7 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, size_t req_xattr_value_len, uint8_t type, struct evm_digest *data) { - struct inode *inode = d_backing_inode(dentry); + struct inode *inode = d_real_inode(dentry); struct xattr_list *xattr; struct shash_desc *desc; size_t xattr_size = 0; From patchwork Tue Jan 30 21:46:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 194330 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:2087:b0:106:209c:c626 with SMTP id gs7csp1513412dyb; Tue, 30 Jan 2024 13:47:52 -0800 (PST) X-Google-Smtp-Source: AGHT+IESOC1Td3onJegLemcpiblgQgaDDPd/izRZgVICvGzMRKYYCfOSLth+b0VtFW6kICCZU3N4 X-Received: by 2002:a05:6402:1d8a:b0:55f:52c5:ab9d with SMTP id dk10-20020a0564021d8a00b0055f52c5ab9dmr1120590edb.28.1706651272374; Tue, 30 Jan 2024 13:47:52 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706651272; cv=pass; d=google.com; s=arc-20160816; b=yl/uPpm3iDELJhBEU6nLHIE2KYr1WK6WFbVKsISfayvL/HLU+byNqwzjlgU6gCF0wf E0Bg3zhAA6rib8zQABs9p6U8XoP2J3TtIh0GCgRG18cYzF4OfYANAGCfJ3KgCSS+qQZl WRuD0i3507bNYlaeVnuBnxa6ExIxeebdFjwbpbscYBLnyCnb/L3UBtV13rqI9j3jK7w5 rroFNiPYDg541R1bvvxcrPbUyx6a2zOgyB2azhJ9WV9pGDWXluhVbpiMiA+3SEYSPCJV AGjWF2Hw9Bo6BNN++dLbkLF2BD+oGgEdJOCrCRqp0Ml2xtYuorOTcBRUxuXM1KyBD3z+ GkkQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=u33QTQz3zwo8w5gMckYZiE6nW3SK8ZOIksLnuOv7pdo=; fh=ncez+Zuks3r0u/GH7GwMN7W85FP2C9GgAvOVpsEx2iM=; b=qEivdn5lgEYxVVLCDpRf6m1zP9qH6cX9DKdmSfWZIeSAcWFLtlDrPEGtPnm3mAeBBo lv3fatE6FOQ+m0aejMh1i+fEaaoBr+NN9AEB0St0SKiADqs8BZWIFzLUZ1uNwe2IAXWC poqMoKngJ1bOF8TtHcreW7eCTbK3UcpK0kTNAkSSltorBSuoEZT9qnJSG33uaqfaYK7e RFXHXJHRRA3xzqTZM4Q5eGycqMqhzqc4ITrzqSSQZr8FlR44NkX144nOsrjpBsnEzCyt nH+9Am91b/roUI6N6+Sh4f8SmCxdBAz+tSsikIvh3uKj/SPBtkMYDBBUnsy9thFNcCzr TJOA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=EMZ3Bl0K; arc=pass (i=1 spf=pass spfdomain=linux.ibm.com dkim=pass dkdomain=ibm.com dmarc=pass fromdomain=linux.ibm.com); spf=pass (google.com: domain of linux-kernel+bounces-45342-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45342-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id ez16-20020a056402451000b0055c74638b38si4764725edb.615.2024.01.30.13.47.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 13:47:52 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-45342-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=EMZ3Bl0K; arc=pass (i=1 spf=pass spfdomain=linux.ibm.com dkim=pass dkdomain=ibm.com dmarc=pass fromdomain=linux.ibm.com); spf=pass (google.com: domain of linux-kernel+bounces-45342-ouuuleilei=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-45342-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ibm.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id D1D081F220A5 for ; Tue, 30 Jan 2024 21:47:51 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id DC6E5157048; Tue, 30 Jan 2024 21:46:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="EMZ3Bl0K" Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A4F3E762DD; Tue, 30 Jan 2024 21:46:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=148.163.158.5 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706651213; cv=none; b=vGX3knQN49OQKy6QZk4G6iwgc9/z0mclcfLchU5+7QZmOnzd+b06FUp7csccCDOW0hbwgrS8chsbYIYats4YPypiy1SEVnlhXeheFrW5/vUBfU8ZRjuYhnf4CSGCkksNWk8NPkLKgmgorlsS2RdWepNcttjb52rEYEF6UvlBHxY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706651213; c=relaxed/simple; bh=9e8yppFii/adbHh4Wc651Fjp4Pbx1zTSyGcucHY8QPE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=SMODH3KpJiakRwd1Ro3RnvrHACmXEn3LzjOJVn/8RnIsFTbu5+JsTXX6cZTHq1QESUa//ST4liTV0/nZ4AF/oEmLjqdwZqNXesaoySqIXVLSQ6PPkJ/bPaIb/J6bgteNDnd1efy+XiDc7MOpJHeVzXvfMGZnbY17QH5gje1ULBc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com; spf=pass smtp.mailfrom=linux.ibm.com; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b=EMZ3Bl0K; arc=none smtp.client-ip=148.163.158.5 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.ibm.com Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 40ULMbpO017915; Tue, 30 Jan 2024 21:46:33 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=u33QTQz3zwo8w5gMckYZiE6nW3SK8ZOIksLnuOv7pdo=; b=EMZ3Bl0KO8UEP3sJZ9CkLBscEBRVetKOGq2gLhaWsKuTT3Q7VHMmMxf6ISo7dhfh51Eh WGKIOk8Uuxql2V2LVyAgMwg+c5P+nHKSEs6jCPIOSwXJXhYNZyBF9ReWzj4GRrzYBGYe RJRfr3XgQWSldcAhcXNvgCTICTXnCcrT1khFdDDJIJ/38tB+cDLHCC3GBrVIbf4e98XR j3K51RqUCsjtsLzJlTmBBRt6/OIF/Iz6JiU0RZXycbVL1RXSZ97Y4N9B5fgxraxmMIR1 na8JtTDcdjIsTSDZnQGFugkNj86MA9iCRR8dqK8JguWpvKgaWDA0aokQ/LlBZ5urrBsx 1g== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3vy6pyutad-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 30 Jan 2024 21:46:33 +0000 Received: from m0360072.ppops.net (m0360072.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 40ULCD8p012740; Tue, 30 Jan 2024 21:46:32 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3vy6pyuta6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 30 Jan 2024 21:46:32 +0000 Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 40UIjMkv017723; Tue, 30 Jan 2024 21:46:32 GMT Received: from smtprelay02.wdc07v.mail.ibm.com ([172.16.1.69]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 3vwchysnhs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 30 Jan 2024 21:46:31 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay02.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 40ULkUrM12648960 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 30 Jan 2024 21:46:31 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D7BDB58056; Tue, 30 Jan 2024 21:46:30 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3C8DA58067; Tue, 30 Jan 2024 21:46:30 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Tue, 30 Jan 2024 21:46:30 +0000 (GMT) From: Stefan Berger To: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-unionfs@vger.kernel.org Cc: linux-kernel@vger.kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, amir73il@gmail.com, miklos@szeredi.hu, Stefan Berger Subject: [PATCH 5/5] evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509 Date: Tue, 30 Jan 2024 16:46:20 -0500 Message-ID: <20240130214620.3155380-6-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240130214620.3155380-1-stefanb@linux.ibm.com> References: <20240130214620.3155380-1-stefanb@linux.ibm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: w54US0XujnxYbbq40R4fIPU11T3fX_Xg X-Proofpoint-ORIG-GUID: j_5mG8R2wvP_LmnI04u5nCN3YQ-FKZEp X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-01-30_12,2024-01-30_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 adultscore=0 clxscore=1015 impostorscore=0 priorityscore=1501 mlxscore=0 suspectscore=0 malwarescore=0 mlxlogscore=932 bulkscore=0 lowpriorityscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2311290000 definitions=main-2401300162 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1789553564874225569 X-GMAIL-MSGID: 1789553564874225569 Unsupported filesystems currently do not enforce any signatures. Add support for signature enforcement of the "original" and "portable & immutable" signatures when EVM_INIT_X509 is enabled. The "original" signature type contains filesystem specific metadata. Thus it cannot be copied up and verified. However with EVM_INIT_X509 and EVM_ALLOW_METADATA_WRITES enabled, the "original" file signature may be written. When EVM_ALLOW_METADATA_WRITES is not set or once it is removed from /sys/kernel/security/evm by setting EVM_INIT_HMAC for example, it is not possible to write or remove xattrs on the overlay filesystem. This change still prevents EVM from writing HMAC signatures on unsupported filesystem when EVM_INIT_HMAC is enabled. Signed-off-by: Stefan Berger --- security/integrity/evm/evm_main.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index e96d127b48a2..f49609dfcbc7 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -192,7 +192,11 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, iint->evm_status == INTEGRITY_PASS_IMMUTABLE)) return iint->evm_status; - if (is_unsupported_fs(dentry)) + /* + * On unsupported filesystems with EVM_INIT_X509 not enabled, skip + * signature verification. + */ + if (!(evm_initialized & EVM_INIT_X509) && is_unsupported_fs(dentry)) return INTEGRITY_UNKNOWN; /* if status is not PASS, try to check again - against -ENOMEM */ @@ -262,7 +266,8 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, evm_status = INTEGRITY_PASS_IMMUTABLE; } else if (!IS_RDONLY(inode) && !(inode->i_sb->s_readonly_remount) && - !IS_IMMUTABLE(inode)) { + !IS_IMMUTABLE(inode) && + !is_unsupported_fs(dentry)) { evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); @@ -422,9 +427,6 @@ enum integrity_status evm_verifyxattr(struct dentry *dentry, if (!evm_key_loaded() || !evm_protected_xattr(xattr_name)) return INTEGRITY_UNKNOWN; - if (is_unsupported_fs(dentry)) - return INTEGRITY_UNKNOWN; - if (!iint) { iint = integrity_iint_find(d_backing_inode(dentry)); if (!iint)