linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Allow trusted filesystems to provide IMA hashes directly
@ 2019-02-26 21:50 Matthew Garrett
  2019-02-26 21:50 ` [PATCH V2 1/4] VFS: Add a call to obtain a file's hash Matthew Garrett
                   ` (3 more replies)
  0 siblings, 4 replies; 41+ messages in thread
From: Matthew Garrett @ 2019-02-26 21:50 UTC (permalink / raw)
  To: linux-integrity; +Cc: zohar, dmitry.kasatkin, linux-fsdevel, miklos

When an IMA measurement is triggered, IMA is forced to read the entire
file and hash it. This can take a significant amount of time for large
files. If the filesystem has a secure mechanism for storing the file's
hash then it makes sense to allow the filesystem to simply return that
rather than forcing the entire file to be read.

This patchset adds an additional VFS call for providing the hash, and
teaches IMA how to use it. An additional parameter is added to the IMA
policy in order to indicate that a specific filesystem is trusted to
provide the hashes. Mounts that would otherwise match the policy but
which were mounted by a non-privileged user will still fall back to
reading the entire file to obtain the hash. Finally, a kernel parameter
is added to force hashes to be generated even if the policy says
otherwise.

This has been developed for FUSE, so the patchset includes some
additional supporting code. It adds an additional subtype parameter to
IMA policy to permit policy matching against specific FUSE filesystem
types. The expectation is that an LSM is used to restrict which
filesystems are able to mount with this subtype, preventing cases where
an untrusted FUSE filesystem is able to pretend to be a trusted one.

The use of FUSE (or any network filesystem) with IMA is already only
viable with specific security controls - an untrusted filesystem can
provide one set of data to the kernel when generating the initial
hashes, but a different set of data when the executable is actually run.
As a result, it's reasonable to assert that any setup relying on IMA
should already be imposing restrictions that ensure that FUSE
filesystems are only mounted by trustworthy executables. If this is the
case, there is no additional security concern raised by these patches.



^ permalink raw reply	[flat|nested] 41+ messages in thread

end of thread, other threads:[~2019-05-03 13:20 UTC | newest]

Thread overview: 41+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-26 21:50 Allow trusted filesystems to provide IMA hashes directly Matthew Garrett
2019-02-26 21:50 ` [PATCH V2 1/4] VFS: Add a call to obtain a file's hash Matthew Garrett
2019-02-26 21:50 ` [PATCH V2 2/4] IMA: Allow rule matching on filesystem subtype Matthew Garrett
2019-02-26 21:50 ` [PATCH V2 3/4] IMA: Optionally make use of filesystem-provided hashes Matthew Garrett
2019-02-28 16:03   ` Mimi Zohar
2019-02-28 18:05     ` Mimi Zohar
2019-02-28 21:41       ` Matthew Garrett
2019-02-28 21:59         ` Mimi Zohar
2019-02-28 22:38           ` Matthew Garrett
2019-03-04 19:52             ` Matthew Garrett
2019-03-04 20:32               ` Mimi Zohar
2019-03-04 22:10                 ` Matthew Garrett
2019-03-05 13:18                   ` Mimi Zohar
2019-03-05 18:39                     ` Matthew Garrett
2019-03-05 19:51                       ` Mimi Zohar
2019-03-05 20:27                         ` Matthew Garrett
2019-03-06 12:30                           ` Mimi Zohar
2019-03-06 18:31                             ` Matthew Garrett
2019-03-06 22:38                               ` Mimi Zohar
2019-03-06 23:36                                 ` Matthew Garrett
2019-03-07  1:54                                   ` Mimi Zohar
2019-03-07  4:19                                     ` Matthew Garrett
2019-03-07 20:48                                       ` Mimi Zohar
2019-03-07 22:41                                         ` Matthew Garrett
2019-04-04 21:46                                           ` Matthew Garrett
2019-04-04 22:18                                             ` James Bottomley
2019-04-04 22:26                                               ` Matthew Garrett
2019-04-04 22:35                                                 ` James Bottomley
2019-04-05  1:50                                                   ` Matthew Garrett
2019-04-05  2:26                                                     ` James Bottomley
2019-04-05 20:55                                                       ` Matthew Garrett
2019-04-29 22:51                                                         ` Matthew Garrett
2019-05-02 20:25                                                           ` Mimi Zohar
2019-05-02 22:37                                                             ` Matthew Garrett
2019-05-02 23:02                                                               ` Mimi Zohar
2019-05-03  6:51                                                                 ` Roberto Sassu
2019-05-03  8:17                                                                   ` Roberto Sassu
2019-05-03 12:47                                                                     ` Mimi Zohar
2019-05-03 13:20                                                                       ` Roberto Sassu
2019-02-26 21:50 ` [PATCH V2 4/4] FUSE: Allow filesystems to provide gethash methods Matthew Garrett
2019-02-27 14:26   ` Jann Horn

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).