From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: James Bottomley <James.Bottomley@hansenpartnership.com>,
Alban Crequy <alban@kinvolk.io>, Dongsu Park <dongsu@kinvolk.io>,
linux-integrity <linux-integrity@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>
Subject: Re: [RFC PATCH] ima: force the re-evaluation of files on untrusted file systems
Date: Mon, 05 Feb 2018 11:37:40 -0500 [thread overview]
Message-ID: <1517848660.3736.101.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <CAJfpegvjZj-F-8kJaa7PkdykJn997AG383CcW7tiSGUYcq+BEA@mail.gmail.com>
On Mon, 2018-02-05 at 17:30 +0100, Miklos Szeredi wrote:
> On Mon, Feb 5, 2018 at 5:21 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> > On Mon, 2018-02-05 at 17:12 +0100, Miklos Szeredi wrote:
> >> On Mon, Feb 5, 2018 at 4:50 PM, James Bottomley
> >> <James.Bottomley@hansenpartnership.com> wrote:
> >> > On Mon, 2018-02-05 at 08:40 -0500, Mimi Zohar wrote:
> >> >> On filesystems, such as fuse or remote filesystems, that we can not
> >> >> detect or rely on the filesystem to tell us when a file has changed,
> >> >> always re-measure, re-appraise, and/or re-audit the file.
> >> >
> >> > Using the presence or absence of d_revalidate isn't definitive for
> >> > uncacheable appraisals: all stacked filesystems have to implement
> >> > d_revalidate just in case the underlying has it, but it doesn't mean
> >> > their appraisals can't be cached if they're fully built on top of
> >> > traditional filesystems (like they are in the Docker/OCI use case). I
> >> > think the original flag approach is better. The only thing stackable
> >> > filesystems argues for is that for them it should probably be a
> >> > superblock flag so it can be per-mount point (depending on overlay
> >> > composition).
> >> >
> >> > d_revalidate() also strikes me as wrong from the semantic point of
> >> > view: it's about whether the path name to inode cache needs re-
> >> > evaluating not whether the underlying inode could change arbitrarily.
> >> > These are definitely related but not necessarily equivalent concepts.
> >>
> >> True. A more precise indication is whether cache pages have been
> >> invalidated for a certain inode. Can we used that? I.e.
> >> invalidate_inode_pages*() calls down into IMA or sets a flags or
> >> whatever to indicate that the file contents might have changed.
> >
> > I don't think that works for the FUSE use case.
>
> Okay, it's true that cache invalidation is just a hint about file
> contents changing. The file contents could change without cache
> invalidation if userspace filesystem is buggy or malicious.
Right, the untrusted, malicious userspace filesystem is the reason for
Alban's patches. Can you review/ack those patches?
thanks,
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [RFC PATCH] ima: force the re-evaluation of files on untrusted file systems
Date: Mon, 05 Feb 2018 11:37:40 -0500 [thread overview]
Message-ID: <1517848660.3736.101.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <CAJfpegvjZj-F-8kJaa7PkdykJn997AG383CcW7tiSGUYcq+BEA@mail.gmail.com>
On Mon, 2018-02-05 at 17:30 +0100, Miklos Szeredi wrote:
> On Mon, Feb 5, 2018 at 5:21 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> > On Mon, 2018-02-05 at 17:12 +0100, Miklos Szeredi wrote:
> >> On Mon, Feb 5, 2018 at 4:50 PM, James Bottomley
> >> <James.Bottomley@hansenpartnership.com> wrote:
> >> > On Mon, 2018-02-05 at 08:40 -0500, Mimi Zohar wrote:
> >> >> On filesystems, such as fuse or remote filesystems, that we can not
> >> >> detect or rely on the filesystem to tell us when a file has changed,
> >> >> always re-measure, re-appraise, and/or re-audit the file.
> >> >
> >> > Using the presence or absence of d_revalidate isn't definitive for
> >> > uncacheable appraisals: all stacked filesystems have to implement
> >> > d_revalidate just in case the underlying has it, but it doesn't mean
> >> > their appraisals can't be cached if they're fully built on top of
> >> > traditional filesystems (like they are in the Docker/OCI use case). I
> >> > think the original flag approach is better. The only thing stackable
> >> > filesystems argues for is that for them it should probably be a
> >> > superblock flag so it can be per-mount point (depending on overlay
> >> > composition).
> >> >
> >> > d_revalidate() also strikes me as wrong from the semantic point of
> >> > view: it's about whether the path name to inode cache needs re-
> >> > evaluating not whether the underlying inode could change arbitrarily.
> >> > These are definitely related but not necessarily equivalent concepts.
> >>
> >> True. A more precise indication is whether cache pages have been
> >> invalidated for a certain inode. Can we used that? I.e.
> >> invalidate_inode_pages*() calls down into IMA or sets a flags or
> >> whatever to indicate that the file contents might have changed.
> >
> > I don't think that works for the FUSE use case.
>
> Okay, it's true that cache invalidation is just a hint about file
> contents changing. The file contents could change without cache
> invalidation if userspace filesystem is buggy or malicious.
Right, the untrusted, malicious userspace filesystem is the reason for
Alban's patches. ?Can you review/ack those patches?
thanks,
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: James Bottomley <James.Bottomley@hansenpartnership.com>,
Alban Crequy <alban@kinvolk.io>, Dongsu Park <dongsu@kinvolk.io>,
linux-integrity <linux-integrity@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>
Subject: Re: [RFC PATCH] ima: force the re-evaluation of files on untrusted file systems
Date: Mon, 05 Feb 2018 11:37:40 -0500 [thread overview]
Message-ID: <1517848660.3736.101.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <CAJfpegvjZj-F-8kJaa7PkdykJn997AG383CcW7tiSGUYcq+BEA@mail.gmail.com>
On Mon, 2018-02-05 at 17:30 +0100, Miklos Szeredi wrote:
> On Mon, Feb 5, 2018 at 5:21 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> > On Mon, 2018-02-05 at 17:12 +0100, Miklos Szeredi wrote:
> >> On Mon, Feb 5, 2018 at 4:50 PM, James Bottomley
> >> <James.Bottomley@hansenpartnership.com> wrote:
> >> > On Mon, 2018-02-05 at 08:40 -0500, Mimi Zohar wrote:
> >> >> On filesystems, such as fuse or remote filesystems, that we can not
> >> >> detect or rely on the filesystem to tell us when a file has changed,
> >> >> always re-measure, re-appraise, and/or re-audit the file.
> >> >
> >> > Using the presence or absence of d_revalidate isn't definitive for
> >> > uncacheable appraisals: all stacked filesystems have to implement
> >> > d_revalidate just in case the underlying has it, but it doesn't mean
> >> > their appraisals can't be cached if they're fully built on top of
> >> > traditional filesystems (like they are in the Docker/OCI use case). I
> >> > think the original flag approach is better. The only thing stackable
> >> > filesystems argues for is that for them it should probably be a
> >> > superblock flag so it can be per-mount point (depending on overlay
> >> > composition).
> >> >
> >> > d_revalidate() also strikes me as wrong from the semantic point of
> >> > view: it's about whether the path name to inode cache needs re-
> >> > evaluating not whether the underlying inode could change arbitrarily.
> >> > These are definitely related but not necessarily equivalent concepts.
> >>
> >> True. A more precise indication is whether cache pages have been
> >> invalidated for a certain inode. Can we used that? I.e.
> >> invalidate_inode_pages*() calls down into IMA or sets a flags or
> >> whatever to indicate that the file contents might have changed.
> >
> > I don't think that works for the FUSE use case.
>
> Okay, it's true that cache invalidation is just a hint about file
> contents changing. The file contents could change without cache
> invalidation if userspace filesystem is buggy or malicious.
Right, the untrusted, malicious userspace filesystem is the reason for
Alban's patches. Can you review/ack those patches?
thanks,
Mimi
next prev parent reply other threads:[~2018-02-05 16:37 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-05 13:40 [RFC PATCH] ima: force the re-evaluation of files on untrusted file systems Mimi Zohar
2018-02-05 13:40 ` Mimi Zohar
2018-02-05 14:24 ` Alban Crequy
2018-02-05 14:24 ` Alban Crequy
2018-02-05 15:36 ` Mimi Zohar
2018-02-05 15:36 ` Mimi Zohar
2018-02-05 15:50 ` James Bottomley
2018-02-05 15:50 ` James Bottomley
2018-02-05 15:50 ` James Bottomley
2018-02-05 16:12 ` Miklos Szeredi
2018-02-05 16:12 ` Miklos Szeredi
2018-02-05 16:21 ` Mimi Zohar
2018-02-05 16:21 ` Mimi Zohar
2018-02-05 16:30 ` Miklos Szeredi
2018-02-05 16:30 ` Miklos Szeredi
2018-02-05 16:37 ` Mimi Zohar [this message]
2018-02-05 16:37 ` Mimi Zohar
2018-02-05 16:37 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1517848660.3736.101.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=alban@kinvolk.io \
--cc=dongsu@kinvolk.io \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=miklos@szeredi.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.