From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:58982 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726467AbeJOJVg (ORCPT ); Mon, 15 Oct 2018 05:21:36 -0400 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w9F1Y3hE134249 for ; Sun, 14 Oct 2018 21:38:35 -0400 Received: from e06smtp07.uk.ibm.com (e06smtp07.uk.ibm.com [195.75.94.103]) by mx0a-001b2d01.pphosted.com with ESMTP id 2n4fe7350v-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Sun, 14 Oct 2018 21:38:35 -0400 Received: from localhost by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 15 Oct 2018 02:38:33 +0100 Subject: Re: [PATCH 2/3] IMA: Make use of filesystem-provided hashes From: Mimi Zohar To: Matthew Garrett Cc: linux-integrity , Dmitry Kasatkin , miklos@szeredi.hu, linux-fsdevel@vger.kernel.org, Alexander Viro Date: Sun, 14 Oct 2018 21:38:17 -0400 In-Reply-To: References: <20181004203007.217320-1-mjg59@google.com> <20181004203007.217320-3-mjg59@google.com> <1539271386.11939.79.camel@linux.ibm.com> <1539298987.11939.136.camel@linux.ibm.com> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Message-Id: <1539567497.11939.198.camel@linux.ibm.com> Sender: linux-integrity-owner@vger.kernel.org List-ID: On Fri, 2018-10-12 at 11:31 -0700, Matthew Garrett wrote: > On Thu, Oct 11, 2018 at 4:03 PM Mimi Zohar wrote: > > On Thu, 2018-10-11 at 13:30 -0700, Matthew Garrett wrote: > > > > Ok, should this just be part of the IMA policy? > > > > How would you be able to differentiate between different FUSE > > filesystems for example? > > There's a couple of ways. We could extend the filesystem type matching > logic to also check the subtype - you'd then need to enforce that at > the LSM level in order to protect against untrusted filesystems > spoofing the filesystem type. Alternatively, we could add an > additional policy match type for mount point and iterate through > s_mounts on the superblock - if any match, we could define the policy > there? The first method differentiates between different subtypes of FUSE filesystems, while the second method allows differentiating between the same type and subtype on different mount points. Both criteria are needed, but instead of the second method based on a mount point, perhaps based instead on a mount flag? Trusted mount of permitted filesystem type and subtype, that is mounted with the defined mount flag. Mimi From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58490C070C3 for ; Mon, 15 Oct 2018 01:38:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1748520659 for ; Mon, 15 Oct 2018 01:38:38 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1748520659 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linux.ibm.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-integrity-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726186AbeJOJVh (ORCPT ); Mon, 15 Oct 2018 05:21:37 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:58982 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726467AbeJOJVg (ORCPT ); Mon, 15 Oct 2018 05:21:36 -0400 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w9F1Y3hE134249 for ; Sun, 14 Oct 2018 21:38:35 -0400 Received: from e06smtp07.uk.ibm.com (e06smtp07.uk.ibm.com [195.75.94.103]) by mx0a-001b2d01.pphosted.com with ESMTP id 2n4fe7350v-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Sun, 14 Oct 2018 21:38:35 -0400 Received: from localhost by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 15 Oct 2018 02:38:33 +0100 Received: from b06cxnps4076.portsmouth.uk.ibm.com (9.149.109.198) by e06smtp07.uk.ibm.com (192.168.101.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 15 Oct 2018 02:38:30 +0100 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w9F1cTRY5833148 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 15 Oct 2018 01:38:29 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 80F634C04E; Mon, 15 Oct 2018 04:38:03 +0100 (BST) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AB3C24C040; Mon, 15 Oct 2018 04:38:02 +0100 (BST) Received: from localhost.localdomain (unknown [9.80.101.196]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 15 Oct 2018 04:38:02 +0100 (BST) Subject: Re: [PATCH 2/3] IMA: Make use of filesystem-provided hashes From: Mimi Zohar To: Matthew Garrett Cc: linux-integrity , Dmitry Kasatkin , miklos@szeredi.hu, linux-fsdevel@vger.kernel.org, Alexander Viro Date: Sun, 14 Oct 2018 21:38:17 -0400 In-Reply-To: References: <20181004203007.217320-1-mjg59@google.com> <20181004203007.217320-3-mjg59@google.com> <1539271386.11939.79.camel@linux.ibm.com> <1539298987.11939.136.camel@linux.ibm.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 18101501-0028-0000-0000-0000030756CC X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18101501-0029-0000-0000-000023C25A63 Message-Id: <1539567497.11939.198.camel@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-10-15_01:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1810150013 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Message-ID: <20181015013817.VybDwe1LpgI4Z0QNm47cdibjbsZF7LdT9dRRzJhYPtM@z> On Fri, 2018-10-12 at 11:31 -0700, Matthew Garrett wrote: > On Thu, Oct 11, 2018 at 4:03 PM Mimi Zohar wrote: > > On Thu, 2018-10-11 at 13:30 -0700, Matthew Garrett wrote: > > > > Ok, should this just be part of the IMA policy? > > > > How would you be able to differentiate between different FUSE > > filesystems for example? > > There's a couple of ways. We could extend the filesystem type matching > logic to also check the subtype - you'd then need to enforce that at > the LSM level in order to protect against untrusted filesystems > spoofing the filesystem type. Alternatively, we could add an > additional policy match type for mount point and iterate through > s_mounts on the superblock - if any match, we could define the policy > there? The first method differentiates between different subtypes of FUSE filesystems, while the second method allows differentiating between the same type and subtype on different mount points.  Both criteria are needed, but instead of the second method based on a mount point, perhaps based instead on a mount flag? Trusted mount of permitted filesystem type and subtype, that is mounted with the defined mount flag.  Mimi