Received: by 10.223.176.5 with SMTP id f5csp866858wra; Fri, 2 Feb 2018 07:23:08 -0800 (PST) X-Google-Smtp-Source: AH8x226Ec5g5jH1OOePBo03pX+o0CnNb5PYt/oTlOBLY7bu4K8hKyUN/KHiXaO7aIZ64ZT264A04 X-Received: by 10.98.103.131 with SMTP id t3mr4896925pfj.53.1517584988446; Fri, 02 Feb 2018 07:23:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517584988; cv=none; d=google.com; s=arc-20160816; b=tQ3JydE3Q3uqWPXGKM1/DdIqdwYvfq8DnHAVx3RoEsNGxPDqSmPR9/EIi+A+yKZEMt ZdTO24MVSENV5IAjgMCLMPNOEiGw2jVA0IPvz5Ctn4G6Kjy+SAqcdOhinzHW7y8cOaS/ yqZXTZrSk3LpDbo1PP3hjZVk3HQULps9Ui14hmkXU7c8DWGZF4ns0yv/sEEKdojCHBat 9sdvaRCFFLjpPG/S07Ff60C19feIDBVU+QvRaCoexjuZRTBlO+tGZ5p/uBNIDQ+k6f1l C23tk3zZzvwd3s/kv9MQCJAVVtpl5W6ogpFG7WQzxskUUEmn2Vs/U3n/3euf8h2E5VL7 ctCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:cc:to:from:subject :arc-authentication-results; bh=QWslC1uf0CnA1P1WqmSSyzIFZtHhCl8vtxCx4vVS46Y=; b=K9rMe8h/XzSpJ4Er3Qgm1iwfnhXCFVUa+iUwDyJttjdy0sph+k/F2jF7lMndniKto4 yrUXgJoAx2OJfB2KPTH0TNihNfMAXTzWlZctXCJi5LguzkWP8a5IvFa52no9gepuefgv wgk/BHt0tEQROMuRuiOwtj4M1sTKDyJtUxvS7ElB4zI+v7+p4dg2MDlbRMMP9Gdn6YcE ELddZKfcu/vbHu/FZ71HMV/AX1HnIhnp9Xt9cvco6xabubSJXd2e5MeQ7htcVV7ZxAkX f6DAOdEWJYz9/z/1a2iHbbBEfWOhflKx3mjEpEGvXk50ijEwqvm16vvXfT1nZJD1UfJp cKQQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k12si1593750pgt.109.2018.02.02.07.22.53; Fri, 02 Feb 2018 07:23:08 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752000AbeBBPUq (ORCPT + 99 others); Fri, 2 Feb 2018 10:20:46 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:50286 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751887AbeBBPU3 (ORCPT ); Fri, 2 Feb 2018 10:20:29 -0500 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w12FK4dE032702 for ; Fri, 2 Feb 2018 10:20:29 -0500 Received: from e06smtp13.uk.ibm.com (e06smtp13.uk.ibm.com [195.75.94.109]) by mx0b-001b2d01.pphosted.com with ESMTP id 2fvqq2r195-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Fri, 02 Feb 2018 10:20:28 -0500 Received: from localhost by e06smtp13.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 2 Feb 2018 15:20:25 -0000 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp13.uk.ibm.com (192.168.101.143) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Fri, 2 Feb 2018 15:20:19 -0000 Received: from d06av21.portsmouth.uk.ibm.com (d06av21.portsmouth.uk.ibm.com [9.149.105.232]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w12FKJIC47054888; Fri, 2 Feb 2018 15:20:19 GMT Received: from d06av21.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 77B2A52047; Fri, 2 Feb 2018 14:12:32 +0000 (GMT) Received: from localhost.localdomain (unknown [9.80.80.37]) by d06av21.portsmouth.uk.ibm.com (Postfix) with ESMTP id ABB265204E; Fri, 2 Feb 2018 14:12:30 +0000 (GMT) Subject: Re: [RFC PATCH v4 1/2] fuse: introduce new fs_type flag FS_IMA_NO_CACHE From: Mimi Zohar To: Miklos Szeredi , Christoph Hellwig Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, Alban Crequy , Miklos Szeredi , Alexander Viro , Dmitry Kasatkin , James Morris , Christoph Hellwig , "Serge E . Hallyn" , Seth Forshee , Dongsu Park , linux-kernel@vger.kernel.org Date: Fri, 02 Feb 2018 10:20:16 -0500 In-Reply-To: <86832c6adb256f29f44b6229222b80964fc8cfcc.1517314847.git.dongsu@kinvolk.io> References: <86832c6adb256f29f44b6229222b80964fc8cfcc.1517314847.git.dongsu@kinvolk.io> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 18020215-0012-0000-0000-000005AAC84F X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18020215-0013-0000-0000-0000192672A7 Message-Id: <1517584816.3171.61.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-02-02_04:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1802020188 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Miklos, On Tue, 2018-01-30 at 19:06 +0100, Dongsu Park wrote: > From: Alban Crequy > > This new fs_type flag FS_IMA_NO_CACHE means files should be re-measured, > re-appraised and re-audited each time. Cached integrity results should > not be used. > > It is useful in FUSE because the userspace FUSE process can change the > underlying files at any time without notifying the kernel. Both IMA-measurement and IMA-appraisal cache the integrity results and are dependent on the kernel to detect when a file changes in order to clear the cached info and force the file to be re-evaluated.  This detection was dependent on i_version changing.  For filesystems that do not support i_version, remote or fuse filesystems, where the kernel does not detect the file change, the file was measured and the signature evaluated just once. With commit a2a2c3c8580a ("ima: Use i_version only when filesystem supports it"), which is being upstreamed in this open window, i_version is considered an optimization.  If i_version is not enabled, either because the local filesystem does not support it or the filesystem wasn't mounted with i_version, the file will now always be re-evaluated. That patch does not address FUSE or remote filesystems, as the kernel does not detect the change.  Further, even if the kernel could detect the change, FUSE filesystems by definition are untrusted. The original patches addressed FUSE filesystems, by defining a new IMA policy option, forcing the file to be re-evaluated based on the filesystem magic number.  All of the changes were in the IMA subsystem.  These patches are the result of Christoph's comment on the original patches saying, "ima has no business looking at either the name _or_ the magic number." Your help in resolving this problem is much appreciated! Mimi > > Cc: linux-kernel@vger.kernel.org > Cc: linux-integrity@vger.kernel.org > Cc: linux-security-module@vger.kernel.org > Cc: linux-fsdevel@vger.kernel.org > Cc: Miklos Szeredi > Cc: Alexander Viro > Cc: Mimi Zohar > Cc: Dmitry Kasatkin > Cc: James Morris > Cc: Christoph Hellwig > Acked-by: "Serge E. Hallyn" > Acked-by: Seth Forshee > Tested-by: Dongsu Park > Signed-off-by: Alban Crequy > --- > fs/fuse/inode.c | 2 +- > include/linux/fs.h | 1 + > 2 files changed, 2 insertions(+), 1 deletion(-) > > diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c > index 624f18bb..0a9e5164 100644 > --- a/fs/fuse/inode.c > +++ b/fs/fuse/inode.c > @@ -1205,7 +1205,7 @@ static void fuse_kill_sb_anon(struct super_block *sb) > static struct file_system_type fuse_fs_type = { > .owner = THIS_MODULE, > .name = "fuse", > - .fs_flags = FS_HAS_SUBTYPE, > + .fs_flags = FS_HAS_SUBTYPE | FS_IMA_NO_CACHE, > .mount = fuse_mount, > .kill_sb = fuse_kill_sb_anon, > }; > diff --git a/include/linux/fs.h b/include/linux/fs.h > index 511fbaab..ced841ba 100644 > --- a/include/linux/fs.h > +++ b/include/linux/fs.h > @@ -2075,6 +2075,7 @@ struct file_system_type { > #define FS_BINARY_MOUNTDATA 2 > #define FS_HAS_SUBTYPE 4 > #define FS_USERNS_MOUNT 8 /* Can be mounted by userns root */ > +#define FS_IMA_NO_CACHE 16 /* Force IMA to re-measure, re-appraise, re-audit files */ > #define FS_RENAME_DOES_D_MOVE 32768 /* FS will handle d_move() during rename() internally. */ > struct dentry *(*mount) (struct file_system_type *, int, > const char *, void *);