Re: [RESEND][PATCH] ima: Set and clear FMODE_CAN_READ in ima_calc_file_hash()
From: Mimi Zohar
Date: Tue Nov 17 2020 - 18:24:02 EST
On Tue, 2020-11-17 at 10:23 -0800, Linus Torvalds wrote:
> On Mon, Nov 16, 2020 at 10:35 AM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> >
> > We need to differentiate between signed files, which by definition are
> > immutable, and those that are mutable. Appending to a mutable file,
> > for example, would result in the file hash not being updated.
> > Subsequent reads would fail.
>
> Why would that require any reading of the file at all AT WRITE TIME?
On the (last) file close, the file hash is re-calculated and written
out as security.ima. The EVM hmac is re-calculated and written out as
security.evm.
>
> Don't do it. Really.
I really wish it wasn't needed.
>
> When opening the file write-only, you just invalidate the hash. It
> doesn't matter anyway - you're only writing.
>
> Later on, when reading, only at that point does the hash matter, and
> then you can do the verification.
>
> Although honestly, I don't even see the point. You know the hash won't
> match, if you wrote to the file.
On the local system, as Roberto mentioned, before updating a file, the
existing file's data and metadata (EVM) should be verified to protect
from an offline attack.
The above scenario assumes calculating the file hash is only being used
for verifying the integrity of the file (security.ima), but there are
other reasons for calculating the file hash. For example depending on
the IMA measurement policy, just accessing a file could require
including the file hash in the measurement list. True that measurement
will only be valid at the time of measurement, but it provides a base
value.
Mimi