From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [RFC PATCH 2/4] ima: fail signature verification on unprivileged & untrusted filesystems
Date: Wed, 14 Feb 2018 10:36:09 -0500 [thread overview]
Message-ID: <1518622569.5667.26.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180214151637.GA2671@mail.hallyn.com>
On Wed, 2018-02-14 at 09:16 -0600, Serge E. Hallyn wrote:
> Quoting Mimi Zohar (zohar at linux.vnet.ibm.com):
> > On Wed, 2018-02-14 at 08:49 -0600, Serge E. Hallyn wrote:
> > > Quoting Mimi Zohar (zohar at linux.vnet.ibm.com):
> > > > Files on untrusted filesystems, such as fuse, can change at any time,
> > > > making the measurement(s) and by extension signature verification
> > > > meaningless.
> > > >
> > > > FUSE can be mounted by unprivileged users either today with fusermount
> > > > installed with setuid, or soon with the upcoming patches to allow FUSE
> > > > mounts in a non-init user namespace.
> > > >
> > > > This patch always fails the file signature verification on unprivileged
> > > > and untrusted filesystems. To also fail file signature verification on
> > >
> > > Why only untrusted? Fuse could cause the same issue if it just
> > > messes up when mounted from init userns right?
> >
> > Right, whether it is an unprivileged mount or not, fuse can return
> > whatever it wants, whenever it wants. ?IMA can calculate the file hash
> > based based on what it reads, but fuse can return whatever it wants on
> > subsequent reads.
>
> Ok but your patch seems to let privileged fuse mounts slide? (see below)
Unprivileged fuse mounts hasn't been upstreamed yet, so we wouldn't be
breaking existing userspace.
>
> > Refer to the discussion with Linus -?http://kernsec.org/pipermail/linu
> > x-security-module-archive/2018-February/005200.html
> >
> > > > privileged, untrusted filesystems requires a custom policy.
> > >
> > > (I'm not saying you shouldn't do this, but) does this mean that
> > > a container whose rootfs is fuse-mounted by the unprivileged user
> > > cannot possibly use IMA?
> >
> > How would you suggest to differentiate between your unprivileged fuse
> > mounts from unintended, unintended malicious ones?
>
> I wouldn't.
What happened to the requirement that systems should be "fail-safe"?
Ok, hard coding this rule probably is not a good idea. ?For those
wanting to take this liability on their systems, we can make this
configurable, like for privileged fuse mounts. ?Unlike for privileged
fuse mounts, the builtin policies, I think, should be fail safe and
include the "fail" rule for unprivileged fuse mounts.
>
> > The remaining patches are policy based.
> >
> > > Good thing we can partially work around that by intercepting real
> > > mount calls with Tycho's new patchset :)
> >
> > Can you provide a little more details?
>
> It would allow a container runtime to intercept mount(2) and perform
> a real mount on the user's behalf. Assuming the runtime is privileged,
> of course, otherwise it would intercept and do a fuse mount which is
> no help here :)
>
> https://lkml.org/lkml/2018/2/4/28
thanks!
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-02-14 15:36 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-14 13:35 [RFC PATCH 1/4] ima: define a new policy condition based on the filesystem name Mimi Zohar
2018-02-14 13:35 ` [RFC PATCH 2/4] ima: fail signature verification on unprivileged & untrusted filesystems Mimi Zohar
2018-02-14 14:49 ` Serge E. Hallyn
2018-02-14 15:08 ` Mimi Zohar
2018-02-14 15:16 ` Serge E. Hallyn
2018-02-14 15:36 ` Mimi Zohar [this message]
2018-02-14 15:42 ` Serge E. Hallyn
2018-02-14 15:49 ` Mimi Zohar
2018-02-14 15:54 ` Serge E. Hallyn
2018-02-14 23:57 ` Eric W. Biederman
2018-02-15 12:38 ` Mimi Zohar
2018-02-15 16:47 ` Eric W. Biederman
2018-02-15 17:52 ` Mimi Zohar
2018-02-16 17:48 ` Eric W. Biederman
2018-02-16 21:00 ` Mimi Zohar
2018-02-17 14:20 ` Eric W. Biederman
2018-02-19 15:44 ` Mimi Zohar
2018-02-14 13:35 ` [RFC PATCH 3/4] ima: define a new policy option named "fail" Mimi Zohar
2018-02-14 13:35 ` [RFC PATCH 4/4] fuse: define the filesystem as untrusted Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1518622569.5667.26.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).