Re: [RFC][PATCH] overlayfs: Redirect xattr ops on security.evm to security.evm_overlayfs
From: Roberto Sassu <hidden>
Date: 2023-12-12 16:21:04
Also in:
linux-fsdevel, linux-integrity, linux-unionfs, lkml
On 12.12.23 11:44, Amir Goldstein wrote:
On Tue, Dec 12, 2023 at 12:25 PM Roberto Sassu [off-list ref] wrote:quoted
On 11.12.23 19:01, Christian Brauner wrote:quoted
quoted
The second problem is that one security.evm is not enough. We need two, to store the two different HMACs. And we need both at the same time, since when overlayfs is mounted the lower/upper directories can be still accessible."Changes to the underlying filesystems while part of a mounted overlay filesystem are not allowed. If the underlying filesystem is changed, the behavior of the overlay is undefined, though it will not result in a crash or deadlock." https://docs.kernel.org/filesystems/overlayfs.html#changes-to-underlying-filesystems So I don't know why this would be a problem.+ Eric Snowberg Ok, that would reduce the surface of attack. However, when looking at: ovl: Always reevaluate the file signature for IMA Commit db1d1e8b9867 ("IMA: use vfs_getattr_nosec to get the i_version") partially closed an IMA integrity issue when directly modifying a file on the lower filesystem. If the overlay file is first opened by a user and later the lower backing file is modified by root, but the extended attribute is NOT updated, the signature validation succeeds with the old original signature. Ok, so if the behavior of overlayfs is undefined if the lower backing file is modified by root, do we need to reevaluate? Or instead would be better to forbid the write from IMA (legitimate, I think, since the behavior is documented)? I just saw that we have d_real_inode(), we can use it to determine if the write should be denied.There may be several possible legitimate actions in this case, but the overall concept IMO should be the same as I said about EVM - overlayfs does not need an IMA signature of its own, because it can use the IMA signature of the underlying file. Whether overlayfs reads a file from lower fs or upper fs, it does not matter, the only thing that matters is that the underlying file content is attested when needed.
Just some thoughts... Ok, so we attest the lower/upper file. What about the path the application specified to access that file (just an example)? Not that it particularly matters (we are not protecting it yet), but we are not recording in the IMA measurement list what the application requested/sees. I don't have a good example for inode metadata, but we already started recording them too. Also, I'm thinking about overlayfs-own xattrs. Shouldn't they be protected? If they change during an offline attack, it would change how information are presented by overlayfs (I don't know much, for now). Roberto
The only incident that requires special attention is copy-up. This is what the security hooks security_inode_copy_up() and security_inode_copy_up_xattr() are for. When a file starts in state "lower" and has security.ima,evm xattrs then before a user changes the file, it is copied up to upper fs and suppose that security.ima,evm xattrs are copied as is? When later the overlayfs file content is read from the upper copy the security.ima signature should be enough to attest that file content was not tampered with between going from "lower" to "upper". security.evm may need to be fixed on copy up, but that should be easy to do with the security_inode_copy_up_xattr() hook. No? Thanks, Amir.