[PATCH v3 4/4] fuse: define the filesystem as untrusted
Serge E. Hallyn
serge at hallyn.com
Wed Mar 14 14:27:01 UTC 2018
Quoting Stefan Berger (stefanb at linux.vnet.ibm.com):
> On 03/12/2018 03:29 PM, Serge E. Hallyn wrote:
> >Quoting Mimi Zohar (zohar at linux.vnet.ibm.com):
> >>Files on FUSE can change at any point in time without IMA being able
> >>to detect it. The file data read for the file signature verification
> >>could be totally different from what is subsequently read, making the
> >>signature verification useless.
> >>
> >>FUSE can be mounted by unprivileged users either today with fusermount
> >>installed with setuid, or soon with the upcoming patches to allow FUSE
> >>mounts in a non-init user namespace.
> >>
> >>This patch sets the SB_I_IMA_UNVERIFIABLE_SIGNATURE flag and when
> >>appropriate sets the SB_I_UNTRUSTED_MOUNTER flag.
> >>
> >>Signed-off-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
> >>Cc: Miklos Szeredi <miklos at szeredi.hu>
> >>Cc: Seth Forshee <seth.forshee at canonical.com>
> >>Cc: Eric W. Biederman <ebiederm at xmission.com>
> >>Cc: Dongsu Park <dongsu at kinvolk.io>
> >>Cc: Alban Crequy <alban at kinvolk.io>
> >>Cc: "Serge E. Hallyn" <serge at hallyn.com>
> >Acked-by: Serge Hallyn <serge at hallyn.com>
> >
> >Of course when IMA namespacing hits, you'll want to compare the
> >sb->s_user_ns to the (~handwaving~) user_ns owning the ima ns
> >right?
>
> I suppose this would be the only way to enable 'trusted mounters'
> within IMA namespaces. Maybe there could be an additional capability
> gate that would allow one to be a 'trusted mounter' then?
Wouldn't CAP_SYS_ADMIN to the ima_ns->user_ns suffice?
I personally think CAP_INTEGRITY would make sense, but right
now CAP_SYS_ADMIN seems to suffice so it wouldn't make sense to
raise the bar there unless we raise it for all of IMA configuration.
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list