From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, Miklos Szeredi <miklos@szeredi.hu>,
Seth Forshee <seth.forshee@canonical.com>,
"Eric W . Biederman" <ebiederm@xmission.com>,
Dongsu Park <dongsu@kinvolk.io>, Alban Crequy <alban@kinvolk.io>
Subject: Re: [RFC PATCH 2/4] ima: fail signature verification on unprivileged & untrusted filesystems
Date: Wed, 14 Feb 2018 10:36:09 -0500 [thread overview]
Message-ID: <1518622569.5667.26.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180214151637.GA2671@mail.hallyn.com>
On Wed, 2018-02-14 at 09:16 -0600, Serge E. Hallyn wrote:
> Quoting Mimi Zohar (zohar@linux.vnet.ibm.com):
> > On Wed, 2018-02-14 at 08:49 -0600, Serge E. Hallyn wrote:
> > > Quoting Mimi Zohar (zohar@linux.vnet.ibm.com):
> > > > Files on untrusted filesystems, such as fuse, can change at any time,
> > > > making the measurement(s) and by extension signature verification
> > > > meaningless.
> > > >
> > > > FUSE can be mounted by unprivileged users either today with fusermount
> > > > installed with setuid, or soon with the upcoming patches to allow FUSE
> > > > mounts in a non-init user namespace.
> > > >
> > > > This patch always fails the file signature verification on unprivileged
> > > > and untrusted filesystems. To also fail file signature verification on
> > >
> > > Why only untrusted? Fuse could cause the same issue if it just
> > > messes up when mounted from init userns right?
> >
> > Right, whether it is an unprivileged mount or not, fuse can return
> > whatever it wants, whenever it wants. IMA can calculate the file hash
> > based based on what it reads, but fuse can return whatever it wants on
> > subsequent reads.
>
> Ok but your patch seems to let privileged fuse mounts slide? (see below)
Unprivileged fuse mounts hasn't been upstreamed yet, so we wouldn't be
breaking existing userspace.
>
> > Refer to the discussion with Linus - http://kernsec.org/pipermail/linu
> > x-security-module-archive/2018-February/005200.html
> >
> > > > privileged, untrusted filesystems requires a custom policy.
> > >
> > > (I'm not saying you shouldn't do this, but) does this mean that
> > > a container whose rootfs is fuse-mounted by the unprivileged user
> > > cannot possibly use IMA?
> >
> > How would you suggest to differentiate between your unprivileged fuse
> > mounts from unintended, unintended malicious ones?
>
> I wouldn't.
What happened to the requirement that systems should be "fail-safe"?
Ok, hard coding this rule probably is not a good idea. For those
wanting to take this liability on their systems, we can make this
configurable, like for privileged fuse mounts. Unlike for privileged
fuse mounts, the builtin policies, I think, should be fail safe and
include the "fail" rule for unprivileged fuse mounts.
>
> > The remaining patches are policy based.
> >
> > > Good thing we can partially work around that by intercepting real
> > > mount calls with Tycho's new patchset :)
> >
> > Can you provide a little more details?
>
> It would allow a container runtime to intercept mount(2) and perform
> a real mount on the user's behalf. Assuming the runtime is privileged,
> of course, otherwise it would intercept and do a fuse mount which is
> no help here :)
>
> https://lkml.org/lkml/2018/2/4/28
thanks!
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [RFC PATCH 2/4] ima: fail signature verification on unprivileged & untrusted filesystems
Date: Wed, 14 Feb 2018 10:36:09 -0500 [thread overview]
Message-ID: <1518622569.5667.26.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180214151637.GA2671@mail.hallyn.com>
On Wed, 2018-02-14 at 09:16 -0600, Serge E. Hallyn wrote:
> Quoting Mimi Zohar (zohar at linux.vnet.ibm.com):
> > On Wed, 2018-02-14 at 08:49 -0600, Serge E. Hallyn wrote:
> > > Quoting Mimi Zohar (zohar at linux.vnet.ibm.com):
> > > > Files on untrusted filesystems, such as fuse, can change at any time,
> > > > making the measurement(s) and by extension signature verification
> > > > meaningless.
> > > >
> > > > FUSE can be mounted by unprivileged users either today with fusermount
> > > > installed with setuid, or soon with the upcoming patches to allow FUSE
> > > > mounts in a non-init user namespace.
> > > >
> > > > This patch always fails the file signature verification on unprivileged
> > > > and untrusted filesystems. To also fail file signature verification on
> > >
> > > Why only untrusted? Fuse could cause the same issue if it just
> > > messes up when mounted from init userns right?
> >
> > Right, whether it is an unprivileged mount or not, fuse can return
> > whatever it wants, whenever it wants. ?IMA can calculate the file hash
> > based based on what it reads, but fuse can return whatever it wants on
> > subsequent reads.
>
> Ok but your patch seems to let privileged fuse mounts slide? (see below)
Unprivileged fuse mounts hasn't been upstreamed yet, so we wouldn't be
breaking existing userspace.
>
> > Refer to the discussion with Linus -?http://kernsec.org/pipermail/linu
> > x-security-module-archive/2018-February/005200.html
> >
> > > > privileged, untrusted filesystems requires a custom policy.
> > >
> > > (I'm not saying you shouldn't do this, but) does this mean that
> > > a container whose rootfs is fuse-mounted by the unprivileged user
> > > cannot possibly use IMA?
> >
> > How would you suggest to differentiate between your unprivileged fuse
> > mounts from unintended, unintended malicious ones?
>
> I wouldn't.
What happened to the requirement that systems should be "fail-safe"?
Ok, hard coding this rule probably is not a good idea. ?For those
wanting to take this liability on their systems, we can make this
configurable, like for privileged fuse mounts. ?Unlike for privileged
fuse mounts, the builtin policies, I think, should be fail safe and
include the "fail" rule for unprivileged fuse mounts.
>
> > The remaining patches are policy based.
> >
> > > Good thing we can partially work around that by intercepting real
> > > mount calls with Tycho's new patchset :)
> >
> > Can you provide a little more details?
>
> It would allow a container runtime to intercept mount(2) and perform
> a real mount on the user's behalf. Assuming the runtime is privileged,
> of course, otherwise it would intercept and do a fuse mount which is
> no help here :)
>
> https://lkml.org/lkml/2018/2/4/28
thanks!
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, Miklos Szeredi <miklos@szeredi.hu>,
Seth Forshee <seth.forshee@canonical.com>,
"Eric W . Biederman" <ebiederm@xmission.com>,
Dongsu Park <dongsu@kinvolk.io>, Alban Crequy <alban@kinvolk.io>
Subject: Re: [RFC PATCH 2/4] ima: fail signature verification on unprivileged & untrusted filesystems
Date: Wed, 14 Feb 2018 10:36:09 -0500 [thread overview]
Message-ID: <1518622569.5667.26.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180214151637.GA2671@mail.hallyn.com>
On Wed, 2018-02-14 at 09:16 -0600, Serge E. Hallyn wrote:
> Quoting Mimi Zohar (zohar@linux.vnet.ibm.com):
> > On Wed, 2018-02-14 at 08:49 -0600, Serge E. Hallyn wrote:
> > > Quoting Mimi Zohar (zohar@linux.vnet.ibm.com):
> > > > Files on untrusted filesystems, such as fuse, can change at any time,
> > > > making the measurement(s) and by extension signature verification
> > > > meaningless.
> > > >
> > > > FUSE can be mounted by unprivileged users either today with fusermount
> > > > installed with setuid, or soon with the upcoming patches to allow FUSE
> > > > mounts in a non-init user namespace.
> > > >
> > > > This patch always fails the file signature verification on unprivileged
> > > > and untrusted filesystems. To also fail file signature verification on
> > >
> > > Why only untrusted? Fuse could cause the same issue if it just
> > > messes up when mounted from init userns right?
> >
> > Right, whether it is an unprivileged mount or not, fuse can return
> > whatever it wants, whenever it wants. IMA can calculate the file hash
> > based based on what it reads, but fuse can return whatever it wants on
> > subsequent reads.
>
> Ok but your patch seems to let privileged fuse mounts slide? (see below)
Unprivileged fuse mounts hasn't been upstreamed yet, so we wouldn't be
breaking existing userspace.
>
> > Refer to the discussion with Linus - http://kernsec.org/pipermail/linu
> > x-security-module-archive/2018-February/005200.html
> >
> > > > privileged, untrusted filesystems requires a custom policy.
> > >
> > > (I'm not saying you shouldn't do this, but) does this mean that
> > > a container whose rootfs is fuse-mounted by the unprivileged user
> > > cannot possibly use IMA?
> >
> > How would you suggest to differentiate between your unprivileged fuse
> > mounts from unintended, unintended malicious ones?
>
> I wouldn't.
What happened to the requirement that systems should be "fail-safe"?
Ok, hard coding this rule probably is not a good idea. For those
wanting to take this liability on their systems, we can make this
configurable, like for privileged fuse mounts. Unlike for privileged
fuse mounts, the builtin policies, I think, should be fail safe and
include the "fail" rule for unprivileged fuse mounts.
>
> > The remaining patches are policy based.
> >
> > > Good thing we can partially work around that by intercepting real
> > > mount calls with Tycho's new patchset :)
> >
> > Can you provide a little more details?
>
> It would allow a container runtime to intercept mount(2) and perform
> a real mount on the user's behalf. Assuming the runtime is privileged,
> of course, otherwise it would intercept and do a fuse mount which is
> no help here :)
>
> https://lkml.org/lkml/2018/2/4/28
thanks!
Mimi
next prev parent reply other threads:[~2018-02-14 15:36 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-14 13:35 [RFC PATCH 1/4] ima: define a new policy condition based on the filesystem name Mimi Zohar
2018-02-14 13:35 ` Mimi Zohar
2018-02-14 13:35 ` [RFC PATCH 2/4] ima: fail signature verification on unprivileged & untrusted filesystems Mimi Zohar
2018-02-14 13:35 ` Mimi Zohar
2018-02-14 14:49 ` Serge E. Hallyn
2018-02-14 14:49 ` Serge E. Hallyn
2018-02-14 15:08 ` Mimi Zohar
2018-02-14 15:08 ` Mimi Zohar
2018-02-14 15:08 ` Mimi Zohar
2018-02-14 15:16 ` Serge E. Hallyn
2018-02-14 15:16 ` Serge E. Hallyn
2018-02-14 15:16 ` Serge E. Hallyn
2018-02-14 15:36 ` Mimi Zohar [this message]
2018-02-14 15:36 ` Mimi Zohar
2018-02-14 15:36 ` Mimi Zohar
2018-02-14 15:42 ` Serge E. Hallyn
2018-02-14 15:42 ` Serge E. Hallyn
2018-02-14 15:42 ` Serge E. Hallyn
2018-02-14 15:49 ` Mimi Zohar
2018-02-14 15:49 ` Mimi Zohar
2018-02-14 15:49 ` Mimi Zohar
2018-02-14 15:54 ` Serge E. Hallyn
2018-02-14 15:54 ` Serge E. Hallyn
2018-02-14 15:54 ` Serge E. Hallyn
2018-02-14 23:57 ` Eric W. Biederman
2018-02-14 23:57 ` Eric W. Biederman
2018-02-15 12:38 ` Mimi Zohar
2018-02-15 12:38 ` Mimi Zohar
2018-02-15 12:38 ` Mimi Zohar
2018-02-15 16:47 ` Eric W. Biederman
2018-02-15 16:47 ` Eric W. Biederman
2018-02-15 16:47 ` Eric W. Biederman
2018-02-15 17:52 ` Mimi Zohar
2018-02-15 17:52 ` Mimi Zohar
2018-02-15 17:52 ` Mimi Zohar
2018-02-16 17:48 ` Eric W. Biederman
2018-02-16 17:48 ` Eric W. Biederman
2018-02-16 17:48 ` Eric W. Biederman
2018-02-16 21:00 ` Mimi Zohar
2018-02-16 21:00 ` Mimi Zohar
2018-02-16 21:00 ` Mimi Zohar
2018-02-17 14:20 ` Eric W. Biederman
2018-02-17 14:20 ` Eric W. Biederman
2018-02-17 14:20 ` Eric W. Biederman
2018-02-19 15:44 ` Mimi Zohar
2018-02-19 15:44 ` Mimi Zohar
2018-02-19 15:44 ` Mimi Zohar
2018-02-14 13:35 ` [RFC PATCH 3/4] ima: define a new policy option named "fail" Mimi Zohar
2018-02-14 13:35 ` Mimi Zohar
2018-02-14 13:35 ` [RFC PATCH 4/4] fuse: define the filesystem as untrusted Mimi Zohar
2018-02-14 13:35 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1518622569.5667.26.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=alban@kinvolk.io \
--cc=dongsu@kinvolk.io \
--cc=ebiederm@xmission.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=serge@hallyn.com \
--cc=seth.forshee@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.