Received: by 10.223.176.46 with SMTP id f43csp2871393wra; Mon, 22 Jan 2018 04:57:51 -0800 (PST) X-Google-Smtp-Source: AH8x224lFbkj6r48q9uQZYOK7HDgofdrBx+ZFxNWBhf0Hqbbo/QNPpO9UW96DDPNLiZYb/1KF1hS X-Received: by 2002:a17:902:560f:: with SMTP id h15-v6mr3423900pli.75.1516625870966; Mon, 22 Jan 2018 04:57:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516625870; cv=none; d=google.com; s=arc-20160816; b=gUxEhp/byOd0BIxuHQL++NQXQQojcBILjfEKrc0YeQDL39LWqtLpnMtvCNod8UObXl nXqkOe7F7aWFayWcRUB5XWiNGYfLmGoFDHrpOhktb8tGH2esxAbElJo8r+kq6FJy1w25 H/pydPI1lf/CWx16sHM+Fz+GUrnvZx6NMj/52I7mbBbsiBxoy8TzHBFOscUAzqzdwtuN 5lWw1/CzWOmVrwyiJ6Q2otOMp8DV6JMzOht+PHQLStFzHRAd31admdbcwNP1uLrbHONb 2aINV8hlHLmHYYeTBR2iX6mVsXVVb2IfmTl7r3auqOZV12wJnDHO+pge0eojtvk1WQaW eLGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:cc:to:from:subject :arc-authentication-results; bh=V38dxyxI/vjOvrROL3F3zgVNBcANJX209c8nTh7+u/g=; b=tQOPrDC4PMmoFAdTpqx2q9MhauHuH6+hS6jh1jyY+MlONtmZB3Szuay7XYsvZ0CmSn t2tAab1ulP405eHLR41/rUtDnHE0sEAB+9R23WVw54mdUFxKuauVU2TgFWebClff6Ynb +gWaBRkYpXneCY3TK26jtV3f94xnkRZnPwAQtjcdrVGTJ5eTQNd09g2ighaZhBjKQZvB JIfgwttBeTPjoc/bQRCbRcwQVjtdETgTwBC+YoOL1UKFSfuXBs7xo23R8+Lva73+lqKr zXLXKDPh3a5RQFQs/sYH5odxQ5NJq70i04SH3HfD5vhhwQ3lkFh+hpMe0XVjOm9HHq7k HSbA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m25si13661346pgv.483.2018.01.22.04.57.36; Mon, 22 Jan 2018 04:57:50 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751192AbeAVM45 (ORCPT + 99 others); Mon, 22 Jan 2018 07:56:57 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:48412 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751122AbeAVM4y (ORCPT ); Mon, 22 Jan 2018 07:56:54 -0500 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w0MCtgCY008867 for ; Mon, 22 Jan 2018 07:56:54 -0500 Received: from e06smtp15.uk.ibm.com (e06smtp15.uk.ibm.com [195.75.94.111]) by mx0a-001b2d01.pphosted.com with ESMTP id 2fneyduk7r-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Mon, 22 Jan 2018 07:56:53 -0500 Received: from localhost by e06smtp15.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 22 Jan 2018 12:56:51 -0000 Received: from b06cxnps3074.portsmouth.uk.ibm.com (9.149.109.194) by e06smtp15.uk.ibm.com (192.168.101.145) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 22 Jan 2018 12:56:46 -0000 Received: from d06av24.portsmouth.uk.ibm.com (mk.ibm.com [9.149.105.60]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w0MCukE655836880; Mon, 22 Jan 2018 12:56:46 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8A3A142045; Mon, 22 Jan 2018 12:50:05 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B20154203F; Mon, 22 Jan 2018 12:50:03 +0000 (GMT) Received: from localhost.localdomain (unknown [9.80.102.7]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 22 Jan 2018 12:50:03 +0000 (GMT) Subject: Re: [RFC PATCH v2] ima,fuse: introduce new fs flag FS_NO_IMA_CACHE From: Mimi Zohar To: Alban Crequy Cc: Alban Crequy , Iago =?ISO-8859-1?Q?L=F3pez?= Galeiras , Dongsu Park , LKML , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, Miklos Szeredi , Alexander Viro , Dmitry Kasatkin , James Morris , "Serge E. Hallyn" , Seth Forshee , Christoph Hellwig Date: Mon, 22 Jan 2018 07:56:43 -0500 In-Reply-To: References: <20180116151000.443-1-alban@kinvolk.io> <1516310702.3772.11.camel@linux.vnet.ibm.com> <1516380970.3772.112.camel@linux.vnet.ibm.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 18012212-0020-0000-0000-000003ED5EE9 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18012212-0021-0000-0000-0000427FA6AF Message-Id: <1516625803.3772.124.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-01-22_05:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1801220185 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2018-01-22 at 10:16 +0100, Alban Crequy wrote: > On Fri, Jan 19, 2018 at 5:56 PM, Mimi Zohar wrote: > > On Fri, 2018-01-19 at 11:35 +0100, Alban Crequy wrote: > >> On Thu, Jan 18, 2018 at 10:25 PM, Mimi Zohar wrote: > >> > On Tue, 2018-01-16 at 16:10 +0100, Alban Crequy wrote: > >> >> From: Alban Crequy > >> >> > >> >> This patch forces files to be re-measured, re-appraised and re-audited > >> >> on file systems with the feature flag FS_NO_IMA_CACHE. In that way, > >> >> cached integrity results won't be used. > >> >> > >> >> For now, this patch adds the new flag only FUSE filesystems. This is > >> >> needed because the userspace FUSE process can change the underlying > >> >> files at any time. > >> > > >> > Thanks, it's working nicely. > >> > > >> > > >> >> diff --git a/include/linux/fs.h b/include/linux/fs.h > >> >> index 511fbaabf624..2bd7e73ebc2a 100644 > >> >> --- a/include/linux/fs.h > >> >> +++ b/include/linux/fs.h > >> >> @@ -2075,6 +2075,7 @@ struct file_system_type { > >> >> #define FS_BINARY_MOUNTDATA 2 > >> >> #define FS_HAS_SUBTYPE 4 > >> >> #define FS_USERNS_MOUNT 8 /* Can be mounted by userns root */ > >> >> +#define FS_NO_IMA_CACHE 16 /* Force IMA to re-measure, re-appraise, re-audit files */ > >> >> #define FS_RENAME_DOES_D_MOVE 32768 /* FS will handle d_move() during rename() internally. */ > >> >> struct dentry *(*mount) (struct file_system_type *, int, > >> >> const char *, void *); > >> >> > >> > > >> > Since IMA is going to need another flag, we probably should have a > >> > consistent prefix (eg. "FS_IMA"). Maybe rename this flag to > >> > FS_IMA_NO_CACHE. > >> > >> Ok, I can rename it. > >> > >> Is there a discussion about the other IMA flag? > > > > There's not a single thread that I can point to, but more of an on > > going discussion as to what it means for a filesystem to support IMA > > and how that decision is made. > > > > - Initial measuring, verifying, auditing files > > - Safely detecting when a file changes > > - Not applicable/supported > > > > With Sascha Hauer's patch "ima: Use i_version only when filesystem > > supports it" and this patch, the second issue is addressed, but will > > cause files to be re-validated, perhaps unnecessarily, impacting > > performance. > > > > Some filesystems should not be evaluated, such as pseudo filesystems > > (eg. cgroups, sysfs, devpts, pstorefs, efivarfs, debugfs, selinux, > > smack). Instead of defining a flag indicating whether or not IMA is > > applicable/supported, we should define a new flag, indicating whether > > it is a pseudo filesystem. This would eliminate a large portion of at > > least the builtin IMA policy rules. > > Thanks for the explanation. If that other flag is about whether it is > a pseudo filesystem, it might not have "IMA" in the name though. Agreed.  If we ever need to define another FS flag, we would most likely define it in the negative (eg. FS_NO_IMA_XXXXX).  So the current name is fine. > >> > I'm also wondering if this change should be > >> > separated from the IMA change. > >> > >> Do you mean one patch for adding the flag and the IMA change and > >> another patch for using the flag in FUSE? > > > > The flag and FUSE usage of the flag, separately from IMA. > > Ok, I will send a v3 with the 2 changes. thanks, Mimi