[PATCH v3 4/4] fuse: define the filesystem as untrusted

Stefan Berger stefanb at linux.vnet.ibm.com
Wed Mar 14 14:37:22 UTC 2018

On 03/14/2018 10:27 AM, Serge E. Hallyn wrote:
> Quoting Stefan Berger (stefanb at linux.vnet.ibm.com):
>> On 03/12/2018 03:29 PM, Serge E. Hallyn wrote:
>>> Quoting Mimi Zohar (zohar at linux.vnet.ibm.com):
>>>> Files on FUSE can change at any point in time without IMA being able
>>>> to detect it.  The file data read for the file signature verification
>>>> could be totally different from what is subsequently read, making the
>>>> signature verification useless.
>>>> FUSE can be mounted by unprivileged users either today with fusermount
>>>> installed with setuid, or soon with the upcoming patches to allow FUSE
>>>> mounts in a non-init user namespace.
>>>> This patch sets the SB_I_IMA_UNVERIFIABLE_SIGNATURE flag and when
>>>> appropriate sets the SB_I_UNTRUSTED_MOUNTER flag.
>>>> Signed-off-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
>>>> Cc: Miklos Szeredi <miklos at szeredi.hu>
>>>> Cc: Seth Forshee <seth.forshee at canonical.com>
>>>> Cc: Eric W. Biederman <ebiederm at xmission.com>
>>>> Cc: Dongsu Park <dongsu at kinvolk.io>
>>>> Cc: Alban Crequy <alban at kinvolk.io>
>>>> Cc: "Serge E. Hallyn" <serge at hallyn.com>
>>> Acked-by: Serge Hallyn <serge at hallyn.com>
>>> Of course when IMA namespacing hits, you'll want to compare the
>>> sb->s_user_ns to the (~handwaving~) user_ns owning the ima ns
>>> right?
>> I suppose this would be the only way to enable 'trusted mounters'
>> within IMA namespaces. Maybe there could be an additional capability
>> gate that would allow one to be a 'trusted mounter' then?
> Wouldn't CAP_SYS_ADMIN to the ima_ns->user_ns suffice?
> I personally think CAP_INTEGRITY would make sense, but right
> now CAP_SYS_ADMIN seems to suffice so it wouldn't make sense to
> raise the bar there unless we raise it for all of IMA configuration.

So for IMA namespacing we may want to avoid CAP_SYS_ADMIN and introduce 
one or more capabilities to:

- set security xattrs from inside the container (when building the 
container for example, maybe also during runtime)
- access IMA's securityfs entries 
from inside the container for reading/writing the policy  (during run-time)
- then possibly mounting a trusted filesystem via fuse


> -serge

To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

More information about the Linux-security-module-archive mailing list