Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE)
From: Deven Bowers
Date: Wed Aug 12 2020 - 13:07:16 EST
On 8/12/2020 7:18 AM, Chuck Lever wrote:
On Aug 11, 2020, at 5:03 PM, James Morris <jmorris@xxxxxxxxx> wrote:
On Sat, 8 Aug 2020, Chuck Lever wrote:
My interest is in code integrity enforcement for executables stored
in NFS files.
My struggle with IPE is that due to its dependence on dm-verity, it
does not seem to able to protect content that is stored separately
from its execution environment and accessed via a file access
protocol (FUSE, SMB, NFS, etc).
It's not dependent on DM-Verity, that's just one possible integrity
verification mechanism, and one of two supported in this initial
version. The other is 'boot_verified' for a verified or otherwise trusted
rootfs. Future versions will support FS-Verity, at least.
IPE was designed to be extensible in this way, with a strong separation of
mechanism and policy.
I got that, but it looked to me like the whole system relied on having
access to the block device under the filesystem. That's not possible
for a remote filesystem like Ceph or NFS.
Block device structure no, (though that's what the currently used, to be
fair). It really has a hard dependency on the file structure,
specifically the ability to determine whether that file structure can be
used to navigate back to the integrity claim provided by the mechanism.
In the current world of IPE, the integrity claim is the root-hash or
root-hash-signature on the block device, provided by dm-verity's
setsecurity hooks (also introduced in this series).
I'm happy to take a closer look if someone can point me the right way.
Sure, if you look at the 2nd patch, you want to look at the file
"security/ipe/ipe-property.h", it defines what methods are required to
be implemented by a mechanism to work with IPE. It passes the engine
context which is defined as:
struct ipe_engine_ctx {
enum ipe_op op;
enum ipe_hook hook;
const struct file *file;
const char *audit_pathname;
const struct ipe_bdev_blob *sec_bdev;
};
Now, if the security blob existed for the block_device, it would be
in sec_bdev, but that may be NULL, as well to be fair.
If you want a more worked example of how integration works, patches 8
and 10 introduce the dm-verity properties mentioned in this patch.