From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [RFC PATCH v4 1/2] fuse: introduce new fs_type flag FS_IMA_NO_CACHE
Date: Fri, 02 Feb 2018 11:59:04 -0500 [thread overview]
Message-ID: <1517590744.3171.89.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <CAJfpegvt5W-q0W8_VRML-MNW6+n2ZQYW+51utRXDDKSbvsqf3w@mail.gmail.com>
On Fri, 2018-02-02 at 17:10 +0100, Miklos Szeredi wrote:
> On Fri, Feb 2, 2018 at 4:33 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> > On Fri, 2018-02-02 at 10:20 -0500, Mimi Zohar wrote:
> >> Hi Miklos,
> >>
> >> On Tue, 2018-01-30 at 19:06 +0100, Dongsu Park wrote:
> >> > From: Alban Crequy <alban@kinvolk.io>
> >> >
> >> > This new fs_type flag FS_IMA_NO_CACHE means files should be re-measured,
> >> > re-appraised and re-audited each time. Cached integrity results should
> >> > not be used.
> >> >
> >> > It is useful in FUSE because the userspace FUSE process can change the
> >> > underlying files at any time without notifying the kernel.
>
> I don't really have an understanding what IMA is doing, I think the
> same thing applies to any network filesystem (i.e. ones with
> d_revalidate).
>
> Isn't that the case?
IMA is calculating the file hash, for inclusion in the measurement
list, verifying the file signature stored in the xattr, or both. ?For
the remote filesystem case, re-calculating the file hash would be
limited to inclusion in the measurement list. ?For FUSE, the kernel
has access to the xattr, so re-calculating the file hash could also be
used to re-verify the file signature.
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-02-02 16:59 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-30 18:06 [RFC PATCH v4 0/2] ima,fuse: introduce new fs flag FS_IMA_NO_CACHE Dongsu Park
2018-01-30 18:06 ` [RFC PATCH v4 1/2] fuse: introduce new fs_type " Dongsu Park
2018-02-02 15:20 ` Mimi Zohar
2018-02-02 15:33 ` Mimi Zohar
2018-02-02 16:10 ` Miklos Szeredi
2018-02-02 16:59 ` Mimi Zohar [this message]
2018-02-05 14:16 ` Alban Crequy
2018-02-07 9:21 ` Miklos Szeredi
2018-02-07 13:05 ` Mimi Zohar
2018-01-30 18:06 ` [RFC PATCH v4 2/2] ima: force re-appraisal on filesystems with FS_IMA_NO_CACHE Dongsu Park
2018-02-01 18:36 ` [RFC PATCH v4 0/2] ima,fuse: introduce new fs flag FS_IMA_NO_CACHE Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1517590744.3171.89.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).