Received: by 10.223.176.46 with SMTP id f43csp3101203wra;
        Mon, 22 Jan 2018 08:25:40 -0800 (PST)
X-Google-Smtp-Source: AH8x225tHkDEaywpQIJQpfUJUgHmSgX/5VunoDua7Xf4ftLFuqfjbemD+2QFVeGzl/3YKOYyIZso
X-Received: by 10.202.78.72 with SMTP id c69mr3989451oib.324.1516638340427;
        Mon, 22 Jan 2018 08:25:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516638340; cv=none;
        d=google.com; s=arc-20160816;
        b=JktJDVkqqFiRblesE0YL0Ftg3sKWpfsJU1zPkn42aphtvN6c38IjvviYrwv1kFVASb
         Q0e6delgPUsgu5ALDJTGaaOvzEd+aID9zbw5W6COHBxBRknWu6i8pbfHMRmutKzwQ1je
         twa1YUI747ZaxxHzBj5Pe7u1cynSa5pHqfqAznTE9mX0tjVJsyGZ9uv/NJ9SdM9PAAce
         P5ur9iyAEg4yjpO/DkC7Ilh11Jdx6vHNs0y7SSwTsL5DtHp0qsGi+hRzpqAkAT1jWMYy
         xYnt9IAFjRBJLEJQZ33Zyvxhq4D8jJNrdbB4OQIXzlpCb+FBWQwOtvNKK1MGqqFKR44H
         yPvw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature:arc-authentication-results;
        bh=Jnaf0kUYXfPKexUTmElKGiZuH3LVUM3hfCiytK15p50=;
        b=IbQTXb4LnaInKO7kZUt4IxMTx5qHKrPDkZTaG44Oi8BfnbvhhxGnqLQy9W/y1CI0se
         129hoDKLj8vUbor6k2lgQ6+HsncQPlc5Rd3owREG0nayi8jfC/VrW4DJWUjNGsfCMsBA
         RoXjzFkhFW+yx/6IBuGj2vsiFaQXe7sE133uT8YL8fB1pxHCnsp2PLsDnrvbBfebRnkv
         xEYdSKGUHmWYWc2EnL3OOhp5DQx4LfKZXjkJWbxdt6sjyRsWb2QZvu9JeGgsGriQDKHQ
         SG5i2hwNgY0GWFXcVOY2MoErzsWdyIgPLMEov2+/EQwd08iHkezmDiYjMXKepJQrNmcf
         uinQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=byA4dqBP;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d5si6110102itj.16.2018.01.22.08.25.27;
        Mon, 22 Jan 2018 08:25:40 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=byA4dqBP;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751140AbeAVQZB (ORCPT <rfc822;lans.zhang2008@gmail.com>
        + 99 others); Mon, 22 Jan 2018 11:25:01 -0500
Received: from mail-wm0-f65.google.com ([74.125.82.65]:39205 "EHLO
        mail-wm0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751028AbeAVQZA (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 22 Jan 2018 11:25:00 -0500
Received: by mail-wm0-f65.google.com with SMTP id b21so18003473wme.4;
        Mon, 22 Jan 2018 08:24:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=sender:from:to:cc:subject:date:message-id;
        bh=Jnaf0kUYXfPKexUTmElKGiZuH3LVUM3hfCiytK15p50=;
        b=byA4dqBPHsIjjR8ihb3a9ifxMibVPKnAqTB2IdvSvYYn862FRA4jWuDg+JhpqrwlLf
         2GPzuMe1wAJV6ZXaOHth10t3tH81vMXmmczcgeCD/1WvljLz9poRW7n4EY9bqElPKsbX
         gghpGVwZlswJZK/ZYIxT4BhFJNjXheATNaBn+nGLwr/vRHjBHbjpBgPlqQ1IxC91/qYx
         O+9jdmNtC8CvFnTyb2U78GfndWP/brvJOOg/xDhDGWEBUFHgY6TCMvmwUfEJaxV89iaq
         0/jbfHZPIEd9dMGerHCbF3FIXHM3LpLU6HUgRivYRWakNdD3Pw9+r9kuaU3ZMIUBJYfC
         mTqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:sender:from:to:cc:subject:date:message-id;
        bh=Jnaf0kUYXfPKexUTmElKGiZuH3LVUM3hfCiytK15p50=;
        b=J8rLacoZTqiFwxyZtBSyAHNgw6lq+EFmDM7bUf1Xg9WYCIxow+1QnBDU68e5EhHf98
         De6mgjBUXsuPX8oXolpPx5L9R5B/X4mSFxmbzKi5LumvuIjnVpWi3PVTLcknwxFEymOw
         OjRxg+k7TvHaKVAs/H9Du/qQ2l+kkyY1x9SXSrATAfZkH6+qFIbUOeSvADQ7xo/Zx63b
         +1Ac+DUXA3D+MZLiWURSn1Xm1/sBjcGyaiumWUqFUebTt06r0VyY/5MG//5O6+wVky8H
         G+vOG4yU97NdGseyu4kWb8BrRP1IujvNMdCkKH3/z5xj9FzL6Cc7YIJ3oRguzukXhIAa
         /QAw==
X-Gm-Message-State: AKwxytdF65nkz63f+cUaWhaNJexktGPRuO8Y0P5sufMem77a8snkYAp8
        DCOyl60hLRek63GCLKqQ6Jw=
X-Received: by 10.80.133.33 with SMTP id 30mr14492527edr.24.1516638298337;
        Mon, 22 Jan 2018 08:24:58 -0800 (PST)
Received: from localhost.localdomain ([178.19.216.175])
        by smtp.gmail.com with ESMTPSA id g21sm11920844edg.88.2018.01.22.08.24.57
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Mon, 22 Jan 2018 08:24:57 -0800 (PST)
From:   Alban Crequy <alban.crequy@gmail.com>
X-Google-Original-From: Alban Crequy <alban@kinvolk.io>
To:     alban@kinvolk.io
Cc:     dongsu@kinvolk.io, iago@kinvolk.io, linux-kernel@vger.kernel.org,
        linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-fsdevel@vger.kernel.org, miklos@szeredi.hu,
        viro@zeniv.linux.org.uk, zohar@linux.vnet.ibm.com,
        dmitry.kasatkin@gmail.com, james.l.morris@oracle.com,
        serge@hallyn.com, seth.forshee@canonical.com, hch@infradead.org
Subject: [RFC PATCH v3 0/2] ima,fuse: introduce new fs flag FS_IMA_NO_CACHE
Date:   Mon, 22 Jan 2018 17:24:50 +0100
Message-Id: <20180122162452.8756-1-alban@kinvolk.io>
X-Mailer: git-send-email 2.13.6
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This patchset v3 introduces a new fs flag FS_IMA_NO_CACHE and uses it in
FUSE. This forces files to be re-measured, re-appraised and re-audited
on file systems with the feature flag FS_IMA_NO_CACHE. In that way,
cached integrity results won't be used.

There was a previous attempt (unmerged) with a IMA option named "force" and using
that option for FUSE filesystems. These patches use a different approach
so that the IMA subsystem does not need to know about FUSE.
- https://www.spinics.net/lists/linux-integrity/msg00948.html
- https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1584131.html

Changes since v1: https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1587390.html
- include linux-fsdevel mailing list in cc
- mark patch as RFC
- based on next-integrity, without other unmerged FUSE / IMA patches

Changes since v2: https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1587678.html
- rename flag to FS_IMA_NO_CACHE
- split patch into 2

The patchset is also available in our github repo:
  https://github.com/kinvolk/linux/tree/alban/fuse-flag-ima-nocache-v3


Alban Crequy (2):
  fuse: introduce new fs_type flag FS_IMA_NO_CACHE
  ima: force re-appraisal on filesystems with FS_IMA_NO_CACHE

 fs/fuse/inode.c                   |  2 +-
 include/linux/fs.h                |  1 +
 security/integrity/ima/ima_main.c | 24 ++++++++++++++++++++++--
 3 files changed, 24 insertions(+), 3 deletions(-)

-- 
2.13.6