From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:51920 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752377AbeCMOqP (ORCPT ); Tue, 13 Mar 2018 10:46:15 -0400 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w2DEivv7070446 for ; Tue, 13 Mar 2018 10:46:15 -0400 Received: from e15.ny.us.ibm.com (e15.ny.us.ibm.com [129.33.205.205]) by mx0a-001b2d01.pphosted.com with ESMTP id 2gpf0gwscp-1 (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NOT) for ; Tue, 13 Mar 2018 10:46:14 -0400 Received: from localhost by e15.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 13 Mar 2018 10:46:08 -0400 Subject: Re: [PATCH v3 4/4] fuse: define the filesystem as untrusted To: "Serge E. Hallyn" , Mimi Zohar References: <1520540650-7451-1-git-send-email-zohar@linux.vnet.ibm.com> <1520540650-7451-5-git-send-email-zohar@linux.vnet.ibm.com> <20180312192950.GE29878@mail.hallyn.com> Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, Miklos Szeredi , Seth Forshee , "Eric W . Biederman" , Dongsu Park , Alban Crequy From: Stefan Berger Date: Tue, 13 Mar 2018 10:46:04 -0400 MIME-Version: 1.0 In-Reply-To: <20180312192950.GE29878@mail.hallyn.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Message-Id: <1fd04e0e-37ab-329c-c75d-d349a3b2f136@linux.vnet.ibm.com> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On 03/12/2018 03:29 PM, Serge E. Hallyn wrote: > Quoting Mimi Zohar (zohar@linux.vnet.ibm.com): >> Files on FUSE can change at any point in time without IMA being able >> to detect it. The file data read for the file signature verification >> could be totally different from what is subsequently read, making the >> signature verification useless. >> >> FUSE can be mounted by unprivileged users either today with fusermount >> installed with setuid, or soon with the upcoming patches to allow FUSE >> mounts in a non-init user namespace. >> >> This patch sets the SB_I_IMA_UNVERIFIABLE_SIGNATURE flag and when >> appropriate sets the SB_I_UNTRUSTED_MOUNTER flag. >> >> Signed-off-by: Mimi Zohar >> Cc: Miklos Szeredi >> Cc: Seth Forshee >> Cc: Eric W. Biederman >> Cc: Dongsu Park >> Cc: Alban Crequy >> Cc: "Serge E. Hallyn" > Acked-by: Serge Hallyn > > Of course when IMA namespacing hits, you'll want to compare the > sb->s_user_ns to the (~handwaving~) user_ns owning the ima ns > right? I suppose this would be the only way to enable 'trusted mounters' within IMA namespaces. Maybe there could be an additional capability gate that would allow one to be a 'trusted mounter' then? > >> --- >> fs/fuse/inode.c | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c >> index 624f18bbfd2b..ef309958e060 100644 >> --- a/fs/fuse/inode.c >> +++ b/fs/fuse/inode.c >> @@ -1080,6 +1080,9 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent) >> sb->s_maxbytes = MAX_LFS_FILESIZE; >> sb->s_time_gran = 1; >> sb->s_export_op = &fuse_export_operations; >> + sb->s_iflags |= SB_I_IMA_UNVERIFIABLE_SIGNATURE; >> + if (sb->s_user_ns != &init_user_ns) >> + sb->s_iflags |= SB_I_UNTRUSTED_MOUNTER; >> >> file = fget(d.fd); >> err = -EINVAL; >> -- >> 2.7.5