From: ebiederm@xmission.com (Eric W. Biederman)
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, Miklos Szeredi <miklos@szeredi.hu>,
Seth Forshee <seth.forshee@canonical.com>,
Dongsu Park <dongsu@kinvolk.io>, Alban Crequy <alban@kinvolk.io>,
"Serge E. Hallyn" <serge@hallyn.com>
Subject: Re: [RFC PATCH 2/4] ima: fail signature verification on unprivileged & untrusted filesystems
Date: Thu, 15 Feb 2018 10:47:06 -0600 [thread overview]
Message-ID: <87a7wayzcl.fsf@xmission.com> (raw)
In-Reply-To: <1518698285.5667.87.camel@linux.vnet.ibm.com> (Mimi Zohar's message of "Thu, 15 Feb 2018 07:38:05 -0500")
Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
> On Wed, 2018-02-14 at 17:57 -0600, Eric W. Biederman wrote:
>> Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
>>
>> > Files on untrusted filesystems, such as fuse, can change at any time,
>> > making the measurement(s) and by extension signature verification
>> > meaningless.
>> >
>> > FUSE can be mounted by unprivileged users either today with fusermount
>> > installed with setuid, or soon with the upcoming patches to allow FUSE
>> > mounts in a non-init user namespace.
>> >
>> > This patch always fails the file signature verification on unprivileged
>> > and untrusted filesystems. To also fail file signature verification on
>> > privileged, untrusted filesystems requires a custom policy.
>> >
>> > (This patch is based on Alban Crequy's use of fs_flags and patch
>> > description.)
>>
>> This would be much better done based on a flag in s_iflags and then the
>> mounts that need this can set this. That new flag can perhaps be called
>> SB_I_IMA_FAIL.
>>
>> Among other things that should allow the policy of when to set this to
>> be set in fuse where it is obvious rather than in an magic location in
>> IMA.
>
> Using s_iflags instead of fs_flags is fine, but I'm not sure how this
> affects the IMA policy. This patch set assumes only unprivileged,
> untrusted filesytems can automatically fail file signature
> verification (2nd patch), as that hasn't yet been upstreamed and won't
> break userspace.
>
> Based on policy, IMA should additionally be able to fail the signature
> verification for files on privileged, untrusted filesystems.
Apologies ima has a very specific meaning of policy, as in the loaded
ima policy. I was meaning the hard coded policy of which filesystems
we simply would not trust by default.
In code terms what I was thinking would look something like:
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -292,7 +292,14 @@ int ima_appraise_measurement(enum ima_hooks func,
}
out:
- if (status != INTEGRITY_PASS) {
+ /* Fail if we can't trust the fs enough to support ima xattrs (FUSE) */
+ if (inode->i_sb->s_iflags & SB_I_NOIMA) {
+ status = INTEGRITY_FAIL;
+ cause = "untrusted-filesystem";
+ integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
+ op, cause, rc, 0);
+ } else if (status != INTEGRITY_PASS) {
if ((ima_appraise & IMA_APPRAISE_FIX) &&
(!xattr_value ||
xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
And somewhere in the fuse mount code it would say:
if (sb->s_user_ns != &init_user_ns)
sb->s_iflags |= SB_I_NOIMA);
The point being that the logic for setting the flag can live in fuse or
a simpler filesystem and all ima proper needs to do is deal with the flag being
set. That should be easier to maintainer and simpler to code all
around.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: linux-security-module@vger.kernel.org
Subject: [RFC PATCH 2/4] ima: fail signature verification on unprivileged & untrusted filesystems
Date: Thu, 15 Feb 2018 10:47:06 -0600 [thread overview]
Message-ID: <87a7wayzcl.fsf@xmission.com> (raw)
In-Reply-To: <1518698285.5667.87.camel@linux.vnet.ibm.com> (Mimi Zohar's message of "Thu, 15 Feb 2018 07:38:05 -0500")
Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
> On Wed, 2018-02-14 at 17:57 -0600, Eric W. Biederman wrote:
>> Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
>>
>> > Files on untrusted filesystems, such as fuse, can change at any time,
>> > making the measurement(s) and by extension signature verification
>> > meaningless.
>> >
>> > FUSE can be mounted by unprivileged users either today with fusermount
>> > installed with setuid, or soon with the upcoming patches to allow FUSE
>> > mounts in a non-init user namespace.
>> >
>> > This patch always fails the file signature verification on unprivileged
>> > and untrusted filesystems. To also fail file signature verification on
>> > privileged, untrusted filesystems requires a custom policy.
>> >
>> > (This patch is based on Alban Crequy's use of fs_flags and patch
>> > description.)
>>
>> This would be much better done based on a flag in s_iflags and then the
>> mounts that need this can set this. That new flag can perhaps be called
>> SB_I_IMA_FAIL.
>>
>> Among other things that should allow the policy of when to set this to
>> be set in fuse where it is obvious rather than in an magic location in
>> IMA.
>
> Using s_iflags instead of fs_flags is fine, but I'm not sure how this
> affects the IMA policy. ?This patch set assumes only unprivileged,
> untrusted filesytems can automatically fail file signature
> verification (2nd patch), as that hasn't yet been upstreamed and won't
> break userspace.
>
> Based on policy, IMA should additionally be able to fail the signature
> verification for files on privileged, untrusted filesystems.
Apologies ima has a very specific meaning of policy, as in the loaded
ima policy. I was meaning the hard coded policy of which filesystems
we simply would not trust by default.
In code terms what I was thinking would look something like:
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -292,7 +292,14 @@ int ima_appraise_measurement(enum ima_hooks func,
}
out:
- if (status != INTEGRITY_PASS) {
+ /* Fail if we can't trust the fs enough to support ima xattrs (FUSE) */
+ if (inode->i_sb->s_iflags & SB_I_NOIMA) {
+ status = INTEGRITY_FAIL;
+ cause = "untrusted-filesystem";
+ integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
+ op, cause, rc, 0);
+ } else if (status != INTEGRITY_PASS) {
if ((ima_appraise & IMA_APPRAISE_FIX) &&
(!xattr_value ||
xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
And somewhere in the fuse mount code it would say:
if (sb->s_user_ns != &init_user_ns)
sb->s_iflags |= SB_I_NOIMA);
The point being that the logic for setting the flag can live in fuse or
a simpler filesystem and all ima proper needs to do is deal with the flag being
set. That should be easier to maintainer and simpler to code all
around.
Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, Miklos Szeredi <miklos@szeredi.hu>,
Seth Forshee <seth.forshee@canonical.com>,
Dongsu Park <dongsu@kinvolk.io>, Alban Crequy <alban@kinvolk.io>,
"Serge E. Hallyn" <serge@hallyn.com>
Subject: Re: [RFC PATCH 2/4] ima: fail signature verification on unprivileged & untrusted filesystems
Date: Thu, 15 Feb 2018 10:47:06 -0600 [thread overview]
Message-ID: <87a7wayzcl.fsf@xmission.com> (raw)
In-Reply-To: <1518698285.5667.87.camel@linux.vnet.ibm.com> (Mimi Zohar's message of "Thu, 15 Feb 2018 07:38:05 -0500")
Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
> On Wed, 2018-02-14 at 17:57 -0600, Eric W. Biederman wrote:
>> Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
>>
>> > Files on untrusted filesystems, such as fuse, can change at any time,
>> > making the measurement(s) and by extension signature verification
>> > meaningless.
>> >
>> > FUSE can be mounted by unprivileged users either today with fusermount
>> > installed with setuid, or soon with the upcoming patches to allow FUSE
>> > mounts in a non-init user namespace.
>> >
>> > This patch always fails the file signature verification on unprivileged
>> > and untrusted filesystems. To also fail file signature verification on
>> > privileged, untrusted filesystems requires a custom policy.
>> >
>> > (This patch is based on Alban Crequy's use of fs_flags and patch
>> > description.)
>>
>> This would be much better done based on a flag in s_iflags and then the
>> mounts that need this can set this. That new flag can perhaps be called
>> SB_I_IMA_FAIL.
>>
>> Among other things that should allow the policy of when to set this to
>> be set in fuse where it is obvious rather than in an magic location in
>> IMA.
>
> Using s_iflags instead of fs_flags is fine, but I'm not sure how this
> affects the IMA policy. This patch set assumes only unprivileged,
> untrusted filesytems can automatically fail file signature
> verification (2nd patch), as that hasn't yet been upstreamed and won't
> break userspace.
>
> Based on policy, IMA should additionally be able to fail the signature
> verification for files on privileged, untrusted filesystems.
Apologies ima has a very specific meaning of policy, as in the loaded
ima policy. I was meaning the hard coded policy of which filesystems
we simply would not trust by default.
In code terms what I was thinking would look something like:
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -292,7 +292,14 @@ int ima_appraise_measurement(enum ima_hooks func,
}
out:
- if (status != INTEGRITY_PASS) {
+ /* Fail if we can't trust the fs enough to support ima xattrs (FUSE) */
+ if (inode->i_sb->s_iflags & SB_I_NOIMA) {
+ status = INTEGRITY_FAIL;
+ cause = "untrusted-filesystem";
+ integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
+ op, cause, rc, 0);
+ } else if (status != INTEGRITY_PASS) {
if ((ima_appraise & IMA_APPRAISE_FIX) &&
(!xattr_value ||
xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
And somewhere in the fuse mount code it would say:
if (sb->s_user_ns != &init_user_ns)
sb->s_iflags |= SB_I_NOIMA);
The point being that the logic for setting the flag can live in fuse or
a simpler filesystem and all ima proper needs to do is deal with the flag being
set. That should be easier to maintainer and simpler to code all
around.
Eric
next prev parent reply other threads:[~2018-02-15 16:47 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-14 13:35 [RFC PATCH 1/4] ima: define a new policy condition based on the filesystem name Mimi Zohar
2018-02-14 13:35 ` Mimi Zohar
2018-02-14 13:35 ` [RFC PATCH 2/4] ima: fail signature verification on unprivileged & untrusted filesystems Mimi Zohar
2018-02-14 13:35 ` Mimi Zohar
2018-02-14 14:49 ` Serge E. Hallyn
2018-02-14 14:49 ` Serge E. Hallyn
2018-02-14 15:08 ` Mimi Zohar
2018-02-14 15:08 ` Mimi Zohar
2018-02-14 15:08 ` Mimi Zohar
2018-02-14 15:16 ` Serge E. Hallyn
2018-02-14 15:16 ` Serge E. Hallyn
2018-02-14 15:16 ` Serge E. Hallyn
2018-02-14 15:36 ` Mimi Zohar
2018-02-14 15:36 ` Mimi Zohar
2018-02-14 15:36 ` Mimi Zohar
2018-02-14 15:42 ` Serge E. Hallyn
2018-02-14 15:42 ` Serge E. Hallyn
2018-02-14 15:42 ` Serge E. Hallyn
2018-02-14 15:49 ` Mimi Zohar
2018-02-14 15:49 ` Mimi Zohar
2018-02-14 15:49 ` Mimi Zohar
2018-02-14 15:54 ` Serge E. Hallyn
2018-02-14 15:54 ` Serge E. Hallyn
2018-02-14 15:54 ` Serge E. Hallyn
2018-02-14 23:57 ` Eric W. Biederman
2018-02-14 23:57 ` Eric W. Biederman
2018-02-15 12:38 ` Mimi Zohar
2018-02-15 12:38 ` Mimi Zohar
2018-02-15 12:38 ` Mimi Zohar
2018-02-15 16:47 ` Eric W. Biederman [this message]
2018-02-15 16:47 ` Eric W. Biederman
2018-02-15 16:47 ` Eric W. Biederman
2018-02-15 17:52 ` Mimi Zohar
2018-02-15 17:52 ` Mimi Zohar
2018-02-15 17:52 ` Mimi Zohar
2018-02-16 17:48 ` Eric W. Biederman
2018-02-16 17:48 ` Eric W. Biederman
2018-02-16 17:48 ` Eric W. Biederman
2018-02-16 21:00 ` Mimi Zohar
2018-02-16 21:00 ` Mimi Zohar
2018-02-16 21:00 ` Mimi Zohar
2018-02-17 14:20 ` Eric W. Biederman
2018-02-17 14:20 ` Eric W. Biederman
2018-02-17 14:20 ` Eric W. Biederman
2018-02-19 15:44 ` Mimi Zohar
2018-02-19 15:44 ` Mimi Zohar
2018-02-19 15:44 ` Mimi Zohar
2018-02-14 13:35 ` [RFC PATCH 3/4] ima: define a new policy option named "fail" Mimi Zohar
2018-02-14 13:35 ` Mimi Zohar
2018-02-14 13:35 ` [RFC PATCH 4/4] fuse: define the filesystem as untrusted Mimi Zohar
2018-02-14 13:35 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a7wayzcl.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=alban@kinvolk.io \
--cc=dongsu@kinvolk.io \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=serge@hallyn.com \
--cc=seth.forshee@canonical.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.