[PATCH v1 2/2] fuse: define the filesystem as untrusted
Mimi Zohar
zohar at linux.vnet.ibm.com
Mon Feb 19 15:18:03 UTC 2018
Files on FUSE can change at any point in time without IMA being able
to detect it. The file data read for the file signature verification
could be totally different from what is subsequently read, making the
signature verification useless.
FUSE can be mounted by unprivileged users either today with fusermount
installed with setuid, or soon with the upcoming patches to allow FUSE
mounts in a non-init user namespace.
This patch sets the SB_I_IMA_UNTRUSTED_FS flag.
Signed-off-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
Cc: Miklos Szeredi <miklos at szeredi.hu>
Cc: Seth Forshee <seth.forshee at canonical.com>
Cc: Eric W. Biederman <ebiederm at xmission.com>
Cc: Dongsu Park <dongsu at kinvolk.io>
Cc: Alban Crequy <alban at kinvolk.io>
Cc: "Serge E. Hallyn" <serge at hallyn.com>
---
fs/fuse/inode.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index 624f18bbfd2b..2cbf01fc85a2 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -1080,6 +1080,7 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent)
sb->s_maxbytes = MAX_LFS_FILESIZE;
sb->s_time_gran = 1;
sb->s_export_op = &fuse_export_operations;
+ sb->s_iflags |= SB_I_IMA_UNTRUSTED_FS;
file = fget(d.fd);
err = -EINVAL;
--
2.7.5
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list