Received: by 10.223.176.46 with SMTP id f43csp3101203wra; Mon, 22 Jan 2018 08:25:40 -0800 (PST) X-Google-Smtp-Source: AH8x225tHkDEaywpQIJQpfUJUgHmSgX/5VunoDua7Xf4ftLFuqfjbemD+2QFVeGzl/3YKOYyIZso X-Received: by 10.202.78.72 with SMTP id c69mr3989451oib.324.1516638340427; Mon, 22 Jan 2018 08:25:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516638340; cv=none; d=google.com; s=arc-20160816; b=JktJDVkqqFiRblesE0YL0Ftg3sKWpfsJU1zPkn42aphtvN6c38IjvviYrwv1kFVASb Q0e6delgPUsgu5ALDJTGaaOvzEd+aID9zbw5W6COHBxBRknWu6i8pbfHMRmutKzwQ1je twa1YUI747ZaxxHzBj5Pe7u1cynSa5pHqfqAznTE9mX0tjVJsyGZ9uv/NJ9SdM9PAAce P5ur9iyAEg4yjpO/DkC7Ilh11Jdx6vHNs0y7SSwTsL5DtHp0qsGi+hRzpqAkAT1jWMYy xYnt9IAFjRBJLEJQZ33Zyvxhq4D8jJNrdbB4OQIXzlpCb+FBWQwOtvNKK1MGqqFKR44H yPvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=Jnaf0kUYXfPKexUTmElKGiZuH3LVUM3hfCiytK15p50=; b=IbQTXb4LnaInKO7kZUt4IxMTx5qHKrPDkZTaG44Oi8BfnbvhhxGnqLQy9W/y1CI0se 129hoDKLj8vUbor6k2lgQ6+HsncQPlc5Rd3owREG0nayi8jfC/VrW4DJWUjNGsfCMsBA RoXjzFkhFW+yx/6IBuGj2vsiFaQXe7sE133uT8YL8fB1pxHCnsp2PLsDnrvbBfebRnkv xEYdSKGUHmWYWc2EnL3OOhp5DQx4LfKZXjkJWbxdt6sjyRsWb2QZvu9JeGgsGriQDKHQ SG5i2hwNgY0GWFXcVOY2MoErzsWdyIgPLMEov2+/EQwd08iHkezmDiYjMXKepJQrNmcf uinQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=byA4dqBP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d5si6110102itj.16.2018.01.22.08.25.27; Mon, 22 Jan 2018 08:25:40 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=byA4dqBP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751140AbeAVQZB (ORCPT + 99 others); Mon, 22 Jan 2018 11:25:01 -0500 Received: from mail-wm0-f65.google.com ([74.125.82.65]:39205 "EHLO mail-wm0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751028AbeAVQZA (ORCPT ); Mon, 22 Jan 2018 11:25:00 -0500 Received: by mail-wm0-f65.google.com with SMTP id b21so18003473wme.4; Mon, 22 Jan 2018 08:24:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id; bh=Jnaf0kUYXfPKexUTmElKGiZuH3LVUM3hfCiytK15p50=; b=byA4dqBPHsIjjR8ihb3a9ifxMibVPKnAqTB2IdvSvYYn862FRA4jWuDg+JhpqrwlLf 2GPzuMe1wAJV6ZXaOHth10t3tH81vMXmmczcgeCD/1WvljLz9poRW7n4EY9bqElPKsbX gghpGVwZlswJZK/ZYIxT4BhFJNjXheATNaBn+nGLwr/vRHjBHbjpBgPlqQ1IxC91/qYx O+9jdmNtC8CvFnTyb2U78GfndWP/brvJOOg/xDhDGWEBUFHgY6TCMvmwUfEJaxV89iaq 0/jbfHZPIEd9dMGerHCbF3FIXHM3LpLU6HUgRivYRWakNdD3Pw9+r9kuaU3ZMIUBJYfC mTqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id; bh=Jnaf0kUYXfPKexUTmElKGiZuH3LVUM3hfCiytK15p50=; b=J8rLacoZTqiFwxyZtBSyAHNgw6lq+EFmDM7bUf1Xg9WYCIxow+1QnBDU68e5EhHf98 De6mgjBUXsuPX8oXolpPx5L9R5B/X4mSFxmbzKi5LumvuIjnVpWi3PVTLcknwxFEymOw OjRxg+k7TvHaKVAs/H9Du/qQ2l+kkyY1x9SXSrATAfZkH6+qFIbUOeSvADQ7xo/Zx63b +1Ac+DUXA3D+MZLiWURSn1Xm1/sBjcGyaiumWUqFUebTt06r0VyY/5MG//5O6+wVky8H G+vOG4yU97NdGseyu4kWb8BrRP1IujvNMdCkKH3/z5xj9FzL6Cc7YIJ3oRguzukXhIAa /QAw== X-Gm-Message-State: AKwxytdF65nkz63f+cUaWhaNJexktGPRuO8Y0P5sufMem77a8snkYAp8 DCOyl60hLRek63GCLKqQ6Jw= X-Received: by 10.80.133.33 with SMTP id 30mr14492527edr.24.1516638298337; Mon, 22 Jan 2018 08:24:58 -0800 (PST) Received: from localhost.localdomain ([178.19.216.175]) by smtp.gmail.com with ESMTPSA id g21sm11920844edg.88.2018.01.22.08.24.57 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 22 Jan 2018 08:24:57 -0800 (PST) From: Alban Crequy X-Google-Original-From: Alban Crequy To: alban@kinvolk.io Cc: dongsu@kinvolk.io, iago@kinvolk.io, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, miklos@szeredi.hu, viro@zeniv.linux.org.uk, zohar@linux.vnet.ibm.com, dmitry.kasatkin@gmail.com, james.l.morris@oracle.com, serge@hallyn.com, seth.forshee@canonical.com, hch@infradead.org Subject: [RFC PATCH v3 0/2] ima,fuse: introduce new fs flag FS_IMA_NO_CACHE Date: Mon, 22 Jan 2018 17:24:50 +0100 Message-Id: <20180122162452.8756-1-alban@kinvolk.io> X-Mailer: git-send-email 2.13.6 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patchset v3 introduces a new fs flag FS_IMA_NO_CACHE and uses it in FUSE. This forces files to be re-measured, re-appraised and re-audited on file systems with the feature flag FS_IMA_NO_CACHE. In that way, cached integrity results won't be used. There was a previous attempt (unmerged) with a IMA option named "force" and using that option for FUSE filesystems. These patches use a different approach so that the IMA subsystem does not need to know about FUSE. - https://www.spinics.net/lists/linux-integrity/msg00948.html - https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1584131.html Changes since v1: https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1587390.html - include linux-fsdevel mailing list in cc - mark patch as RFC - based on next-integrity, without other unmerged FUSE / IMA patches Changes since v2: https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1587678.html - rename flag to FS_IMA_NO_CACHE - split patch into 2 The patchset is also available in our github repo: https://github.com/kinvolk/linux/tree/alban/fuse-flag-ima-nocache-v3 Alban Crequy (2): fuse: introduce new fs_type flag FS_IMA_NO_CACHE ima: force re-appraisal on filesystems with FS_IMA_NO_CACHE fs/fuse/inode.c | 2 +- include/linux/fs.h | 1 + security/integrity/ima/ima_main.c | 24 ++++++++++++++++++++++-- 3 files changed, 24 insertions(+), 3 deletions(-) -- 2.13.6