From: ebiederm@xmission.com (Eric W. Biederman)
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, Miklos Szeredi <miklos@szeredi.hu>,
Seth Forshee <seth.forshee@canonical.com>,
Dongsu Park <dongsu@kinvolk.io>, Alban Crequy <alban@kinvolk.io>,
"Serge E. Hallyn" <serge@hallyn.com>
Subject: Re: [RFC PATCH 2/4] ima: fail signature verification on unprivileged & untrusted filesystems
Date: Wed, 14 Feb 2018 17:57:26 -0600 [thread overview]
Message-ID: <87po57yvix.fsf@xmission.com> (raw)
In-Reply-To: <1518615315-7162-2-git-send-email-zohar@linux.vnet.ibm.com> (Mimi Zohar's message of "Wed, 14 Feb 2018 08:35:13 -0500")
Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
> Files on untrusted filesystems, such as fuse, can change at any time,
> making the measurement(s) and by extension signature verification
> meaningless.
>
> FUSE can be mounted by unprivileged users either today with fusermount
> installed with setuid, or soon with the upcoming patches to allow FUSE
> mounts in a non-init user namespace.
>
> This patch always fails the file signature verification on unprivileged
> and untrusted filesystems. To also fail file signature verification on
> privileged, untrusted filesystems requires a custom policy.
>
> (This patch is based on Alban Crequy's use of fs_flags and patch
> description.)
This would be much better done based on a flag in s_iflags and then the
mounts that need this can set this. That new flag can perhaps be called
SB_I_IMA_FAIL.
Among other things that should allow the policy of when to set this to
be set in fuse where it is obvious rather than in an magic location in
IMA.
Eric
> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> Cc: Miklos Szeredi <miklos@szeredi.hu>
> Cc: Seth Forshee <seth.forshee@canonical.com>
> Cc: Eric W. Biederman <ebiederm@xmission.com>
> Cc: Dongsu Park <dongsu@kinvolk.io>
> Cc: Alban Crequy <alban@kinvolk.io>
> Cc: "Serge E. Hallyn" <serge@hallyn.com>
> ---
> include/linux/fs.h | 1 +
> security/integrity/ima/ima_appraise.c | 10 +++++++++-
> 2 files changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index 2a815560fda0..faffe4aab43d 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -2069,6 +2069,7 @@ struct file_system_type {
> #define FS_BINARY_MOUNTDATA 2
> #define FS_HAS_SUBTYPE 4
> #define FS_USERNS_MOUNT 8 /* Can be mounted by userns root */
> +#define FS_UNTRUSTED 16 /* Defined filesystem as untrusted */
> #define FS_RENAME_DOES_D_MOVE 32768 /* FS will handle d_move() during rename() internally. */
> struct dentry *(*mount) (struct file_system_type *, int,
> const char *, void *);
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index f2803a40ff82..af8add31fe26 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -292,7 +292,14 @@ int ima_appraise_measurement(enum ima_hooks func,
> }
>
> out:
> - if (status != INTEGRITY_PASS) {
> + /* Fail untrusted and unpriviliged filesystems (eg FUSE) */
> + if ((inode->i_sb->s_type->fs_flags & FS_UNTRUSTED) &&
> + (inode->i_sb->s_user_ns != &init_user_ns)) {
> + status = INTEGRITY_FAIL;
> + cause = "untrusted-filesystem";
> + integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
> + op, cause, rc, 0);
> + } else if (status != INTEGRITY_PASS) {
> if ((ima_appraise & IMA_APPRAISE_FIX) &&
> (!xattr_value ||
> xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
> @@ -309,6 +316,7 @@ int ima_appraise_measurement(enum ima_hooks func,
> } else {
> ima_cache_flags(iint, func);
> }
> +
> ima_set_cache_status(iint, func, status);
> return status;
> }
next prev parent reply other threads:[~2018-02-14 23:57 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1518615315-7162-1-git-send-email-zohar@linux.vnet.ibm.com>
[not found] ` <1518615315-7162-2-git-send-email-zohar@linux.vnet.ibm.com>
2018-02-14 14:49 ` [RFC PATCH 2/4] ima: fail signature verification on unprivileged & untrusted filesystems Serge E. Hallyn
2018-02-14 15:08 ` Mimi Zohar
2018-02-14 15:16 ` Serge E. Hallyn
2018-02-14 15:36 ` Mimi Zohar
2018-02-14 15:42 ` Serge E. Hallyn
2018-02-14 15:49 ` Mimi Zohar
2018-02-14 15:54 ` Serge E. Hallyn
2018-02-14 23:57 ` Eric W. Biederman [this message]
2018-02-15 12:38 ` Mimi Zohar
2018-02-15 16:47 ` Eric W. Biederman
2018-02-15 17:52 ` Mimi Zohar
2018-02-16 17:48 ` Eric W. Biederman
2018-02-16 21:00 ` Mimi Zohar
2018-02-17 14:20 ` Eric W. Biederman
2018-02-19 15:44 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87po57yvix.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=alban@kinvolk.io \
--cc=dongsu@kinvolk.io \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=serge@hallyn.com \
--cc=seth.forshee@canonical.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).