Thread (22 messages) 22 messages, 2 authors, 2020-05-13

Re: [RFC][PATCH 1/3] evm: Move hooks outside LSM infrastructure

From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2020-05-06 19:45:10
Also in: linux-fsdevel, linux-integrity, lkml

[Cc: John Johansen] 

On Wed, 2020-04-29 at 09:39 +0200, Roberto Sassu wrote:
EVM is a module for the protection of the integrity of file metadata. It
protects security-relevant extended attributes, and some file attributes
such as the UID and the GID. It protects their integrity with an HMAC or
with a signature.

What makes EVM different from other LSMs is that it makes a security
decision depending on multiple pieces of information, which cannot be
managed atomically by the system.

Example: cp -a file.orig file.dest

If security.selinux, security.ima and security.evm must be preserved, cp
will invoke setxattr() for each xattr, and EVM performs a verification
during each operation. The problem is that copying security.evm from
file.orig to file.dest will likely break the following EVM verifications if
some metadata still have to be copied. EVM has no visibility on the
metadata of the source file, so it cannot determine when the copy can be
considered complete.
I remember having a similar discussion in the past.  At the time,
there wasn't EVM portable and immutable signature support, just the
HMAC and original signature types.  Neither of these EVM xattrs types
should be copied.

Calling evm_verifyxattr() is not limited to IMA, but may be called by
other LSMs/subsystems as well.  At some point, there was some
discussion about AppArmor calling it directly.  Not sure if that is
still being discussed.

Since copying the EVM HMAC or original signature isn't applicable, I
would prefer exploring an EVM portable and immutable signature only
solution.

Mimi
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help