From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:47260 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726760AbeJPVHW (ORCPT ); Tue, 16 Oct 2018 17:07:22 -0400 Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w9GDEreI075870 for ; Tue, 16 Oct 2018 09:16:54 -0400 Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98]) by mx0b-001b2d01.pphosted.com with ESMTP id 2n5fab4tcj-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 16 Oct 2018 09:16:53 -0400 Received: from localhost by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 16 Oct 2018 14:16:52 +0100 Subject: Re: [PATCH 2/3] IMA: Make use of filesystem-provided hashes From: Mimi Zohar To: Matthew Garrett Cc: linux-integrity , Dmitry Kasatkin , miklos@szeredi.hu, linux-fsdevel@vger.kernel.org, Alexander Viro Date: Tue, 16 Oct 2018 09:16:36 -0400 In-Reply-To: References: <20181004203007.217320-1-mjg59@google.com> <20181004203007.217320-3-mjg59@google.com> <1539271386.11939.79.camel@linux.ibm.com> <1539298987.11939.136.camel@linux.ibm.com> <1539567497.11939.198.camel@linux.ibm.com> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <1539695796.11939.273.camel@linux.ibm.com> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Mon, 2018-10-15 at 11:46 -0700, Matthew Garrett wrote: > On Sun, Oct 14, 2018 at 6:38 PM Mimi Zohar wrote: > > On Fri, 2018-10-12 at 11:31 -0700, Matthew Garrett wrote: > > > There's a couple of ways. We could extend the filesystem type matching > > > logic to also check the subtype - you'd then need to enforce that at > > > the LSM level in order to protect against untrusted filesystems > > > spoofing the filesystem type. Alternatively, we could add an > > > additional policy match type for mount point and iterate through > > > s_mounts on the superblock - if any match, we could define the policy > > > there? > > > > The first method differentiates between different subtypes of FUSE > > filesystems, while the second method allows differentiating between > > the same type and subtype on different mount points. Both criteria > > are needed, but instead of the second method based on a mount point, > > perhaps based instead on a mount flag? > > Patch 3 already requires that the allow_gethash option be passed for > this to work - I can restrict that to CAP_SYS_ADMIN? In the case of FUSE filesystems, using "gethash" should be limited to trusted mounts, not fileystems mounted with SB_I_UNTRUSTED_MOUNTER.  So requiring CAP_SYS_ADMIN seems unnecessary.  The difference in the approaches is that root has CAP_SYS_ADMIN, while providing a mount flag requires intention. > > > Trusted mount of permitted filesystem type and subtype, that is > > mounted with the defined mount flag. > > Ok, I'll write up a patch that allows policy matching of filesystem > subtype as well as type and try to get that posted this week so we can > discuss it in Edinburgh? Sounds good. Hopefully I'll have time to review it before Edinburgh. Mimi From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:17052 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727003AbeJPVHW (ORCPT ); Tue, 16 Oct 2018 17:07:22 -0400 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w9GDEIxT144689 for ; Tue, 16 Oct 2018 09:16:54 -0400 Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98]) by mx0a-001b2d01.pphosted.com with ESMTP id 2n5fvpk0mg-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 16 Oct 2018 09:16:54 -0400 Received: from localhost by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 16 Oct 2018 14:16:52 +0100 Subject: Re: [PATCH 2/3] IMA: Make use of filesystem-provided hashes From: Mimi Zohar To: Matthew Garrett Cc: linux-integrity , Dmitry Kasatkin , miklos@szeredi.hu, linux-fsdevel@vger.kernel.org, Alexander Viro Date: Tue, 16 Oct 2018 09:16:36 -0400 In-Reply-To: References: <20181004203007.217320-1-mjg59@google.com> <20181004203007.217320-3-mjg59@google.com> <1539271386.11939.79.camel@linux.ibm.com> <1539298987.11939.136.camel@linux.ibm.com> <1539567497.11939.198.camel@linux.ibm.com> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Message-Id: <1539695796.11939.273.camel@linux.ibm.com> Sender: linux-integrity-owner@vger.kernel.org List-ID: On Mon, 2018-10-15 at 11:46 -0700, Matthew Garrett wrote: > On Sun, Oct 14, 2018 at 6:38 PM Mimi Zohar wrote: > > On Fri, 2018-10-12 at 11:31 -0700, Matthew Garrett wrote: > > > There's a couple of ways. We could extend the filesystem type matching > > > logic to also check the subtype - you'd then need to enforce that at > > > the LSM level in order to protect against untrusted filesystems > > > spoofing the filesystem type. Alternatively, we could add an > > > additional policy match type for mount point and iterate through > > > s_mounts on the superblock - if any match, we could define the policy > > > there? > > > > The first method differentiates between different subtypes of FUSE > > filesystems, while the second method allows differentiating between > > the same type and subtype on different mount points. Both criteria > > are needed, but instead of the second method based on a mount point, > > perhaps based instead on a mount flag? > > Patch 3 already requires that the allow_gethash option be passed for > this to work - I can restrict that to CAP_SYS_ADMIN? In the case of FUSE filesystems, using "gethash" should be limited to trusted mounts, not fileystems mounted with SB_I_UNTRUSTED_MOUNTER. So requiring CAP_SYS_ADMIN seems unnecessary. The difference in the approaches is that root has CAP_SYS_ADMIN, while providing a mount flag requires intention. > > > Trusted mount of permitted filesystem type and subtype, that is > > mounted with the defined mount flag. > > Ok, I'll write up a patch that allows policy matching of filesystem > subtype as well as type and try to get that posted this week so we can > discuss it in Edinburgh? Sounds good. Hopefully I'll have time to review it before Edinburgh. Mimi