[PATCH v3 4/4] fuse: define the filesystem as untrusted

[serge@hallyn.com (Serge E. Hallyn)]

Quoting Stefan Berger (stefanb at linux.vnet.ibm.com):
> On 03/12/2018 03:29 PM, Serge E. Hallyn wrote:
> >Quoting Mimi Zohar (zohar at linux.vnet.ibm.com):
> >>Files on FUSE can change at any point in time without IMA being able
> >>to detect it.  The file data read for the file signature verification
> >>could be totally different from what is subsequently read, making the
> >>signature verification useless.
> >>
> >>FUSE can be mounted by unprivileged users either today with fusermount
> >>installed with setuid, or soon with the upcoming patches to allow FUSE
> >>mounts in a non-init user namespace.
> >>
> >>This patch sets the SB_I_IMA_UNVERIFIABLE_SIGNATURE flag and when
> >>appropriate sets the SB_I_UNTRUSTED_MOUNTER flag.
> >>
> >>Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> >>Cc: Miklos Szeredi <miklos@szeredi.hu>
> >>Cc: Seth Forshee <seth.forshee@canonical.com>
> >>Cc: Eric W. Biederman <ebiederm@xmission.com>
> >>Cc: Dongsu Park <dongsu@kinvolk.io>
> >>Cc: Alban Crequy <alban@kinvolk.io>
> >>Cc: "Serge E. Hallyn" <serge@hallyn.com>
> >Acked-by: Serge Hallyn <serge@hallyn.com>
> >
> >Of course when IMA namespacing hits, you'll want to compare the
> >sb->s_user_ns to the (~handwaving~) user_ns owning the ima ns
> >right?
> 
> I suppose this would be the only way to enable 'trusted mounters'
> within IMA namespaces. Maybe there could be an additional capability
> gate that would allow one to be a 'trusted mounter' then?

Wouldn't CAP_SYS_ADMIN to the ima_ns->user_ns suffice?

I personally think CAP_INTEGRITY would make sense, but right
now CAP_SYS_ADMIN seems to suffice so it wouldn't make sense to
raise the bar there unless we raise it for all of IMA configuration.

-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html