From: "Serge E. Hallyn" <serge@hallyn.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, Miklos Szeredi <miklos@szeredi.hu>,
Seth Forshee <seth.forshee@canonical.com>,
"Eric W . Biederman" <ebiederm@xmission.com>,
Dongsu Park <dongsu@kinvolk.io>, Alban Crequy <alban@kinvolk.io>
Subject: Re: [RFC PATCH 2/4] ima: fail signature verification on unprivileged & untrusted filesystems
Date: Wed, 14 Feb 2018 09:42:55 -0600 [thread overview]
Message-ID: <20180214154255.GA3087@mail.hallyn.com> (raw)
In-Reply-To: <1518622569.5667.26.camel@linux.vnet.ibm.com>
Quoting Mimi Zohar (zohar@linux.vnet.ibm.com):
> On Wed, 2018-02-14 at 09:16 -0600, Serge E. Hallyn wrote:
> > Quoting Mimi Zohar (zohar@linux.vnet.ibm.com):
> > > On Wed, 2018-02-14 at 08:49 -0600, Serge E. Hallyn wrote:
> > > > Quoting Mimi Zohar (zohar@linux.vnet.ibm.com):
> > > > > Files on untrusted filesystems, such as fuse, can change at any time,
> > > > > making the measurement(s) and by extension signature verification
> > > > > meaningless.
> > > > >
> > > > > FUSE can be mounted by unprivileged users either today with fusermount
> > > > > installed with setuid, or soon with the upcoming patches to allow FUSE
> > > > > mounts in a non-init user namespace.
> > > > >
> > > > > This patch always fails the file signature verification on unprivileged
> > > > > and untrusted filesystems. To also fail file signature verification on
> > > >
> > > > Why only untrusted? Fuse could cause the same issue if it just
> > > > messes up when mounted from init userns right?
> > >
> > > Right, whether it is an unprivileged mount or not, fuse can return
> > > whatever it wants, whenever it wants. �IMA can calculate the file hash
> > > based based on what it reads, but fuse can return whatever it wants on
> > > subsequent reads.
> >
> > Ok but your patch seems to let privileged fuse mounts slide? (see below)
>
> Unprivileged fuse mounts hasn't been upstreamed yet, so we wouldn't be
> breaking existing userspace.
I don't think I'm being clear.
In your patch it looks like you mark unprivileged FUSE mounts as
INTEGRITY_FAIL. I agree you should do that. But you skip the
FS_UNTRUSTED check for privileged FUSE mounts. I'm asking why
that's ok.
> > > Refer to the discussion with Linus -�http://kernsec.org/pipermail/linu
> > > x-security-module-archive/2018-February/005200.html
> > >
> > > > > privileged, untrusted filesystems requires a custom policy.
> > > >
> > > > (I'm not saying you shouldn't do this, but) does this mean that
> > > > a container whose rootfs is fuse-mounted by the unprivileged user
> > > > cannot possibly use IMA?
> > >
> > > How would you suggest to differentiate between your unprivileged fuse
> > > mounts from unintended, unintended malicious ones?
> >
> > I wouldn't.
>
> What happened to the requirement that systems should be "fail-safe"?
My point was - I was asking whether there was any way to have IMA be
meaningful with such containers, not saying I had any ideas, and
certainly not saying that just because you can't detect it means you
should allow it in all cases. It's too bad that it has this effect,
but I agree with your patch.
I only didn't ack it because you're skipping the check for privileged
mounts which seems wrong.
-serge
WARNING: multiple messages have this Message-ID (diff)
From: serge@hallyn.com (Serge E. Hallyn)
To: linux-security-module@vger.kernel.org
Subject: [RFC PATCH 2/4] ima: fail signature verification on unprivileged & untrusted filesystems
Date: Wed, 14 Feb 2018 09:42:55 -0600 [thread overview]
Message-ID: <20180214154255.GA3087@mail.hallyn.com> (raw)
In-Reply-To: <1518622569.5667.26.camel@linux.vnet.ibm.com>
Quoting Mimi Zohar (zohar at linux.vnet.ibm.com):
> On Wed, 2018-02-14 at 09:16 -0600, Serge E. Hallyn wrote:
> > Quoting Mimi Zohar (zohar at linux.vnet.ibm.com):
> > > On Wed, 2018-02-14 at 08:49 -0600, Serge E. Hallyn wrote:
> > > > Quoting Mimi Zohar (zohar at linux.vnet.ibm.com):
> > > > > Files on untrusted filesystems, such as fuse, can change at any time,
> > > > > making the measurement(s) and by extension signature verification
> > > > > meaningless.
> > > > >
> > > > > FUSE can be mounted by unprivileged users either today with fusermount
> > > > > installed with setuid, or soon with the upcoming patches to allow FUSE
> > > > > mounts in a non-init user namespace.
> > > > >
> > > > > This patch always fails the file signature verification on unprivileged
> > > > > and untrusted filesystems. To also fail file signature verification on
> > > >
> > > > Why only untrusted? Fuse could cause the same issue if it just
> > > > messes up when mounted from init userns right?
> > >
> > > Right, whether it is an unprivileged mount or not, fuse can return
> > > whatever it wants, whenever it wants. ?IMA can calculate the file hash
> > > based based on what it reads, but fuse can return whatever it wants on
> > > subsequent reads.
> >
> > Ok but your patch seems to let privileged fuse mounts slide? (see below)
>
> Unprivileged fuse mounts hasn't been upstreamed yet, so we wouldn't be
> breaking existing userspace.
I don't think I'm being clear.
In your patch it looks like you mark unprivileged FUSE mounts as
INTEGRITY_FAIL. I agree you should do that. But you skip the
FS_UNTRUSTED check for privileged FUSE mounts. I'm asking why
that's ok.
> > > Refer to the discussion with Linus -?http://kernsec.org/pipermail/linu
> > > x-security-module-archive/2018-February/005200.html
> > >
> > > > > privileged, untrusted filesystems requires a custom policy.
> > > >
> > > > (I'm not saying you shouldn't do this, but) does this mean that
> > > > a container whose rootfs is fuse-mounted by the unprivileged user
> > > > cannot possibly use IMA?
> > >
> > > How would you suggest to differentiate between your unprivileged fuse
> > > mounts from unintended, unintended malicious ones?
> >
> > I wouldn't.
>
> What happened to the requirement that systems should be "fail-safe"?
My point was - I was asking whether there was any way to have IMA be
meaningful with such containers, not saying I had any ideas, and
certainly not saying that just because you can't detect it means you
should allow it in all cases. It's too bad that it has this effect,
but I agree with your patch.
I only didn't ack it because you're skipping the check for privileged
mounts which seems wrong.
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: "Serge E. Hallyn" <serge@hallyn.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, Miklos Szeredi <miklos@szeredi.hu>,
Seth Forshee <seth.forshee@canonical.com>,
"Eric W . Biederman" <ebiederm@xmission.com>,
Dongsu Park <dongsu@kinvolk.io>, Alban Crequy <alban@kinvolk.io>
Subject: Re: [RFC PATCH 2/4] ima: fail signature verification on unprivileged & untrusted filesystems
Date: Wed, 14 Feb 2018 09:42:55 -0600 [thread overview]
Message-ID: <20180214154255.GA3087@mail.hallyn.com> (raw)
In-Reply-To: <1518622569.5667.26.camel@linux.vnet.ibm.com>
Quoting Mimi Zohar (zohar@linux.vnet.ibm.com):
> On Wed, 2018-02-14 at 09:16 -0600, Serge E. Hallyn wrote:
> > Quoting Mimi Zohar (zohar@linux.vnet.ibm.com):
> > > On Wed, 2018-02-14 at 08:49 -0600, Serge E. Hallyn wrote:
> > > > Quoting Mimi Zohar (zohar@linux.vnet.ibm.com):
> > > > > Files on untrusted filesystems, such as fuse, can change at any time,
> > > > > making the measurement(s) and by extension signature verification
> > > > > meaningless.
> > > > >
> > > > > FUSE can be mounted by unprivileged users either today with fusermount
> > > > > installed with setuid, or soon with the upcoming patches to allow FUSE
> > > > > mounts in a non-init user namespace.
> > > > >
> > > > > This patch always fails the file signature verification on unprivileged
> > > > > and untrusted filesystems. To also fail file signature verification on
> > > >
> > > > Why only untrusted? Fuse could cause the same issue if it just
> > > > messes up when mounted from init userns right?
> > >
> > > Right, whether it is an unprivileged mount or not, fuse can return
> > > whatever it wants, whenever it wants. IMA can calculate the file hash
> > > based based on what it reads, but fuse can return whatever it wants on
> > > subsequent reads.
> >
> > Ok but your patch seems to let privileged fuse mounts slide? (see below)
>
> Unprivileged fuse mounts hasn't been upstreamed yet, so we wouldn't be
> breaking existing userspace.
I don't think I'm being clear.
In your patch it looks like you mark unprivileged FUSE mounts as
INTEGRITY_FAIL. I agree you should do that. But you skip the
FS_UNTRUSTED check for privileged FUSE mounts. I'm asking why
that's ok.
> > > Refer to the discussion with Linus - http://kernsec.org/pipermail/linu
> > > x-security-module-archive/2018-February/005200.html
> > >
> > > > > privileged, untrusted filesystems requires a custom policy.
> > > >
> > > > (I'm not saying you shouldn't do this, but) does this mean that
> > > > a container whose rootfs is fuse-mounted by the unprivileged user
> > > > cannot possibly use IMA?
> > >
> > > How would you suggest to differentiate between your unprivileged fuse
> > > mounts from unintended, unintended malicious ones?
> >
> > I wouldn't.
>
> What happened to the requirement that systems should be "fail-safe"?
My point was - I was asking whether there was any way to have IMA be
meaningful with such containers, not saying I had any ideas, and
certainly not saying that just because you can't detect it means you
should allow it in all cases. It's too bad that it has this effect,
but I agree with your patch.
I only didn't ack it because you're skipping the check for privileged
mounts which seems wrong.
-serge
next prev parent reply other threads:[~2018-02-14 15:42 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-14 13:35 [RFC PATCH 1/4] ima: define a new policy condition based on the filesystem name Mimi Zohar
2018-02-14 13:35 ` Mimi Zohar
2018-02-14 13:35 ` [RFC PATCH 2/4] ima: fail signature verification on unprivileged & untrusted filesystems Mimi Zohar
2018-02-14 13:35 ` Mimi Zohar
2018-02-14 14:49 ` Serge E. Hallyn
2018-02-14 14:49 ` Serge E. Hallyn
2018-02-14 15:08 ` Mimi Zohar
2018-02-14 15:08 ` Mimi Zohar
2018-02-14 15:08 ` Mimi Zohar
2018-02-14 15:16 ` Serge E. Hallyn
2018-02-14 15:16 ` Serge E. Hallyn
2018-02-14 15:16 ` Serge E. Hallyn
2018-02-14 15:36 ` Mimi Zohar
2018-02-14 15:36 ` Mimi Zohar
2018-02-14 15:36 ` Mimi Zohar
2018-02-14 15:42 ` Serge E. Hallyn [this message]
2018-02-14 15:42 ` Serge E. Hallyn
2018-02-14 15:42 ` Serge E. Hallyn
2018-02-14 15:49 ` Mimi Zohar
2018-02-14 15:49 ` Mimi Zohar
2018-02-14 15:49 ` Mimi Zohar
2018-02-14 15:54 ` Serge E. Hallyn
2018-02-14 15:54 ` Serge E. Hallyn
2018-02-14 15:54 ` Serge E. Hallyn
2018-02-14 23:57 ` Eric W. Biederman
2018-02-14 23:57 ` Eric W. Biederman
2018-02-15 12:38 ` Mimi Zohar
2018-02-15 12:38 ` Mimi Zohar
2018-02-15 12:38 ` Mimi Zohar
2018-02-15 16:47 ` Eric W. Biederman
2018-02-15 16:47 ` Eric W. Biederman
2018-02-15 16:47 ` Eric W. Biederman
2018-02-15 17:52 ` Mimi Zohar
2018-02-15 17:52 ` Mimi Zohar
2018-02-15 17:52 ` Mimi Zohar
2018-02-16 17:48 ` Eric W. Biederman
2018-02-16 17:48 ` Eric W. Biederman
2018-02-16 17:48 ` Eric W. Biederman
2018-02-16 21:00 ` Mimi Zohar
2018-02-16 21:00 ` Mimi Zohar
2018-02-16 21:00 ` Mimi Zohar
2018-02-17 14:20 ` Eric W. Biederman
2018-02-17 14:20 ` Eric W. Biederman
2018-02-17 14:20 ` Eric W. Biederman
2018-02-19 15:44 ` Mimi Zohar
2018-02-19 15:44 ` Mimi Zohar
2018-02-19 15:44 ` Mimi Zohar
2018-02-14 13:35 ` [RFC PATCH 3/4] ima: define a new policy option named "fail" Mimi Zohar
2018-02-14 13:35 ` Mimi Zohar
2018-02-14 13:35 ` [RFC PATCH 4/4] fuse: define the filesystem as untrusted Mimi Zohar
2018-02-14 13:35 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180214154255.GA3087@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=alban@kinvolk.io \
--cc=dongsu@kinvolk.io \
--cc=ebiederm@xmission.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=seth.forshee@canonical.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.