Re: [PATCH v3 0/2] ima/evm fixes for v5.2

From: Roberto Sassu
Date: Thu Jun 06 2019 - 11:27:07 EST

Next message: Alex Kogan: "Re: [PATCH v2 3/5] locking/qspinlock: Introduce CNA into the slow path of qspinlock"
Previous message: Filipe Manana: "Re: [PATCH 2/2] btrfs: convert snapshot/nocow exlcusion to drw lock"
In reply to: Mimi Zohar: "Re: [PATCH v3 0/2] ima/evm fixes for v5.2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/6/2019 4:49 PM, Mimi Zohar wrote:

On Thu, 2019-06-06 at 13:43 +0200, Roberto Sassu wrote:

On 6/6/2019 1:26 PM, Roberto Sassu wrote:

Previous versions included the patch 'ima: don't ignore INTEGRITY_UNKNOWN
EVM status'. However, I realized that this patch cannot be accepted alone
because IMA-Appraisal would deny access to new files created during the
boot. With the current behavior, those files are accessible because they
have a valid security.ima (not protected by EVM) created after the first
write.

A solution for this problem is to initialize EVM very early with a random
key. Access to created files will be granted, even with the strict
appraisal, because after the first write those files will have both
security.ima and security.evm (HMAC calculated with the random key).

Strict appraisal will work only if it is done with signatures until the
persistent HMAC key is loaded.

Changelog

v2:
- remove patch 1/3 (evm: check hash algorithm passed to init_desc());
already accepted
- remove patch 3/3 (ima: show rules with IMA_INMASK correctly);
already accepted
- add new patch (evm: add option to set a random HMAC key at early boot)
- patch 2/3: modify patch description

Roberto, as I tried explaining previously, this feature is not a
simple bug fix. ÂThese patches, if upstreamed, will be upstreamed the
normal way, during an open window. ÂWhether they are classified as a
bug fix has yet to be decided.

Sorry, I understood that I can claim that there is a bug. I provided a
motivation in patch 2/2.

Please stop Cc'ing stable. ÂIf I don't Cc stable before sending the pull request, then Greg and Sasha have been really good about deciding which patches should be backported. Â(Please refer to the comment on "Cc'ing stable" in section "5) Select the recipients for your patch" in Documentation/process/submitting-patches.rst.)

I'll review these patches, but in the future please use an appropriate patch set cover letter title in the subject line.

Ok.

Thanks

Roberto

--
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Bo PENG, Jian LI, Yanli SHI

Next message: Alex Kogan: "Re: [PATCH v2 3/5] locking/qspinlock: Introduce CNA into the slow path of qspinlock"
Previous message: Filipe Manana: "Re: [PATCH 2/2] btrfs: convert snapshot/nocow exlcusion to drw lock"
In reply to: Mimi Zohar: "Re: [PATCH v3 0/2] ima/evm fixes for v5.2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]