Re: [PATCH v1 1/2] ima: fail signature verification on untrusted filesystems

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
	James Morris <jmorris@namei.org>,
	linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-fsdevel@vger.kernel.org, Miklos Szeredi <miklos@szeredi.hu>,
	Seth Forshee <seth.forshee@canonical.com>,
	Dongsu Park <dongsu@kinvolk.io>, Alban Crequy <alban@kinvolk.io>
Subject: Re: [PATCH v1 1/2] ima: fail signature verification on untrusted filesystems
Date: Wed, 21 Feb 2018 18:32:34 -0500	[thread overview]
Message-ID: <1519255954.3400.16.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <87r2peaqf0.fsf@xmission.com>

On Wed, 2018-02-21 at 17:12 -0600, Eric W. Biederman wrote:
> Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
> 
> > On Wed, 2018-02-21 at 16:46 -0600, Eric W. Biederman wrote:
> >> Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
> >> 
> >> >> > > On the flip side when it really is a trusted mounter, and it is in a
> >> >> > > configuration that IMA has a reasonable expectation of seeing all of
> >> >> > > the changes it would be nice if we can say please trust this mount.
> >> >> > 
> >> >> > IMA has no way of detecting file change.  This was one of the reasons
> >> >> > for the original patch set's not using the cached IMA results.
> >> >> > 
> >> >> > Even in the case of a trusted mounter and not using IMA cached
> >> >> > results, there are no guarantees that the data read to calculate the
> >> >> > file hash, will be the same as what is subsequently read.  In some
> >> >> > environments this might be an acceptable risk, while in others not.
> >> >> 
> >> >> So for the cases where it's not, there should be an IMA option or policy
> >> >> to say any SB_I_IMA_UNVERIFIABLE_SIGNATURES mounts should be not
> >> >> trusted, with the default being both SB_I_IMA_UNVERIFIABLE_SIGNATURES and
> >> >> SB_I_UNTRUSTED_MOUNTER must be true to not trust, right?
> >> >
> >> > Right.  To summarize, we've identified 3 scenarios:
> >> > 1. Fail signature verification on unprivileged non-init root mounted
> >> > file systems.
> >> >
> >> > flags: SB_I_IMA_UNVERIFIABLE_SIGNATURES and SB_I_UNTRUSTED_MOUNTER
> >> > (always enabled)
> >> >
> >> > 2. Permit signature verification on privileged file system mounts in a
> >> > secure system environment.  Willing to accept the risk.  Does not rely
> >> > on cached integrity results, but forces re-evaluation.
> >> >
> >> > flags: SB_I_IMA_UNVERIFIABLE_SIGNATURES, not SB_I_UNTRUSTED_MOUNTER or
> >> > IMA_FAIL_UNVERIFICABLE_SIGNATURES (default behavior)
> >> >
> >> > 3. Fail signature verification also on privileged file system mounts.
> >> > Fail safe, unwilling to accept the risk.
> >> >
> >> > flags:
> >> > SB_I_IMA_UNVERIFIABLE_SIGNATURES and IMA_FAIL_UNVERIFIABLE_SIGNATURES
> >> >
> >> > Enabled by specifying "ima_policy=unverifiable_sigs" on the boot
> >> > command line.
> >> 
> >> There is another scenaro.
> >> 4. Permit signature verification on out of kernel but otherwise fully
> >>    capable and trusted filesystems.
> >> 
> >> Fuse has a mode where it appears to be cache coherent, and guaranteed to
> >> be local. AKA when fuse block is used and FUSE_WRITEBACK_CACHE is set.
> >> That configuratioin plus the the allow_other mount option appear to
> >> signal a fuse mount that can be reasonably be trusted as much as an
> >> in-kernel block based filesystem.
> >> 
> >> That is a mode someone might use to mount exFat or ntfs-3g.
> >> 
> >> As all writes come from the kernel, and it is safe to have a write-back
> >> cache I believe ima can reasonably verify signatures.  There may be
> >> something technical like the need to verify i_version in this case,
> >> but for purposes of argument let's say fuse has implemented all of the
> >> necessary technical details.
> >> 
> >> In that case we have a case where it is reasonable to say that
> >> SB_I_IMA_UNVERIFIABLE_SIGNATURES would be incorrect to set on a fuse
> >> filesystem.
> >> 
> >> Mimi do you agree or am I missing something?
> >
> > This simply sounds like a performance improvement to the second
> > scenario, where instead of *always* forcing re-validation, it checks
> > the i_version.  Perhaps based on a different flag.
> 
> As I understand the second scenario SB_I_IMA_UNVERIFIABLE_SIGNATURES
> is set, which implies that the filesystem is lacking something for IMA
> to reliably know when a file has changed.  AKA a technical deficiency.
> 
> The fourth scenario is the case when SB_I_IMA_UNVERIFIABLE_SIGNATURES
> can be legitimately be cleared, because the filesystem provides all
> of the necessary support for IMA to reliably know when a file has
> changed.

The information might be there, but IMA currently detects a file
change and resets the flags only when the last writer calls
__fput().  Any other time, new support would be needed.

Mimi

> My point is that cases exists or it is straight forward to implemented
> in fuse.
> 
> 
> I add the fourth case so that we can get a solid definition of
> SB_I_IMA_UNVERIFIABLE_SIGNATURES.
> 
> Eric
>

next prev parent reply	other threads:[~2018-02-21 23:32 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-02-19 15:18 [PATCH v1 0/2] ima: untrusted filesystems Mimi Zohar
2018-02-19 15:18 ` [PATCH v1 1/2] ima: fail signature verification on " Mimi Zohar
2018-02-19 21:47   ` Eric W. Biederman
2018-02-20  0:52     ` James Morris
2018-02-20  2:02       ` Eric W. Biederman
2018-02-20 14:02         ` Mimi Zohar
2018-02-20 20:16           ` Serge E. Hallyn
2018-02-21 14:46             ` Mimi Zohar
2018-02-21 22:46               ` Eric W. Biederman
2018-02-21 22:57                 ` Mimi Zohar
2018-02-21 23:12                   ` Eric W. Biederman
2018-02-21 23:32                     ` Mimi Zohar [this message]
2018-02-27  2:12                       ` Eric W. Biederman
2018-02-21 22:53           ` Eric W. Biederman
2018-02-21 23:03             ` Mimi Zohar
2018-02-19 22:50   ` kbuild test robot
2018-02-19 23:36   ` kbuild test robot
2018-02-19 15:18 ` [PATCH v1 2/2] fuse: define the filesystem as untrusted Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1519255954.3400.16.camel@linux.vnet.ibm.com \
    --to=zohar@linux.vnet.ibm.com \
    --cc=alban@kinvolk.io \
    --cc=dongsu@kinvolk.io \
    --cc=ebiederm@xmission.com \
    --cc=jmorris@namei.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=miklos@szeredi.hu \
    --cc=serge@hallyn.com \
    --cc=seth.forshee@canonical.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).