Received: by 10.223.176.5 with SMTP id f5csp866858wra;
        Fri, 2 Feb 2018 07:23:08 -0800 (PST)
X-Google-Smtp-Source: AH8x226Ec5g5jH1OOePBo03pX+o0CnNb5PYt/oTlOBLY7bu4K8hKyUN/KHiXaO7aIZ64ZT264A04
X-Received: by 10.98.103.131 with SMTP id t3mr4896925pfj.53.1517584988446;
        Fri, 02 Feb 2018 07:23:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517584988; cv=none;
        d=google.com; s=arc-20160816;
        b=tQ3JydE3Q3uqWPXGKM1/DdIqdwYvfq8DnHAVx3RoEsNGxPDqSmPR9/EIi+A+yKZEMt
         ZdTO24MVSENV5IAjgMCLMPNOEiGw2jVA0IPvz5Ctn4G6Kjy+SAqcdOhinzHW7y8cOaS/
         yqZXTZrSk3LpDbo1PP3hjZVk3HQULps9Ui14hmkXU7c8DWGZF4ns0yv/sEEKdojCHBat
         9sdvaRCFFLjpPG/S07Ff60C19feIDBVU+QvRaCoexjuZRTBlO+tGZ5p/uBNIDQ+k6f1l
         C23tk3zZzvwd3s/kv9MQCJAVVtpl5W6ogpFG7WQzxskUUEmn2Vs/U3n/3euf8h2E5VL7
         ctCg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:content-transfer-encoding
         :mime-version:references:in-reply-to:date:cc:to:from:subject
         :arc-authentication-results;
        bh=QWslC1uf0CnA1P1WqmSSyzIFZtHhCl8vtxCx4vVS46Y=;
        b=K9rMe8h/XzSpJ4Er3Qgm1iwfnhXCFVUa+iUwDyJttjdy0sph+k/F2jF7lMndniKto4
         yrUXgJoAx2OJfB2KPTH0TNihNfMAXTzWlZctXCJi5LguzkWP8a5IvFa52no9gepuefgv
         wgk/BHt0tEQROMuRuiOwtj4M1sTKDyJtUxvS7ElB4zI+v7+p4dg2MDlbRMMP9Gdn6YcE
         ELddZKfcu/vbHu/FZ71HMV/AX1HnIhnp9Xt9cvco6xabubSJXd2e5MeQ7htcVV7ZxAkX
         f6DAOdEWJYz9/z/1a2iHbbBEfWOhflKx3mjEpEGvXk50ijEwqvm16vvXfT1nZJD1UfJp
         cKQQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k12si1593750pgt.109.2018.02.02.07.22.53;
        Fri, 02 Feb 2018 07:23:08 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752000AbeBBPUq (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Fri, 2 Feb 2018 10:20:46 -0500
Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:50286 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1751887AbeBBPU3 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 2 Feb 2018 10:20:29 -0500
Received: from pps.filterd (m0098420.ppops.net [127.0.0.1])
        by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w12FK4dE032702
        for <linux-kernel@vger.kernel.org>; Fri, 2 Feb 2018 10:20:29 -0500
Received: from e06smtp13.uk.ibm.com (e06smtp13.uk.ibm.com [195.75.94.109])
        by mx0b-001b2d01.pphosted.com with ESMTP id 2fvqq2r195-1
        (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Fri, 02 Feb 2018 10:20:28 -0500
Received: from localhost
        by e06smtp13.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <linux-kernel@vger.kernel.org> from <zohar@linux.vnet.ibm.com>;
        Fri, 2 Feb 2018 15:20:25 -0000
Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195)
        by e06smtp13.uk.ibm.com (192.168.101.143) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;
        Fri, 2 Feb 2018 15:20:19 -0000
Received: from d06av21.portsmouth.uk.ibm.com (d06av21.portsmouth.uk.ibm.com [9.149.105.232])
        by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w12FKJIC47054888;
        Fri, 2 Feb 2018 15:20:19 GMT
Received: from d06av21.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 77B2A52047;
        Fri,  2 Feb 2018 14:12:32 +0000 (GMT)
Received: from localhost.localdomain (unknown [9.80.80.37])
        by d06av21.portsmouth.uk.ibm.com (Postfix) with ESMTP id ABB265204E;
        Fri,  2 Feb 2018 14:12:30 +0000 (GMT)
Subject: Re: [RFC PATCH v4 1/2] fuse: introduce new fs_type flag
 FS_IMA_NO_CACHE
From:   Mimi Zohar <zohar@linux.vnet.ibm.com>
To:     Miklos Szeredi <miklos@szeredi.hu>,
        Christoph Hellwig <hch@infradead.org>
Cc:     linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-fsdevel@vger.kernel.org, Alban Crequy <alban@kinvolk.io>,
        Miklos Szeredi <mszeredi@redhat.com>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
        James Morris <jmorris@namei.org>,
        Christoph Hellwig <hch@infradead.org>,
        "Serge E . Hallyn" <serge@hallyn.com>,
        Seth Forshee <seth.forshee@canonical.com>,
        Dongsu Park <dongsu@kinvolk.io>, linux-kernel@vger.kernel.org
Date:   Fri, 02 Feb 2018 10:20:16 -0500
In-Reply-To: <86832c6adb256f29f44b6229222b80964fc8cfcc.1517314847.git.dongsu@kinvolk.io>
References: <cover.1517314847.git.dongsu@kinvolk.io>
         <86832c6adb256f29f44b6229222b80964fc8cfcc.1517314847.git.dongsu@kinvolk.io>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TM-AS-GCONF: 00
x-cbid: 18020215-0012-0000-0000-000005AAC84F
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 18020215-0013-0000-0000-0000192672A7
Message-Id: <1517584816.3171.61.camel@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-02-02_04:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000
 definitions=main-1802020188
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Miklos,

On Tue, 2018-01-30 at 19:06 +0100, Dongsu Park wrote:
> From: Alban Crequy <alban@kinvolk.io>
> 
> This new fs_type flag FS_IMA_NO_CACHE means files should be re-measured,
> re-appraised and re-audited each time. Cached integrity results should
> not be used.
> 
> It is useful in FUSE because the userspace FUSE process can change the
> underlying files at any time without notifying the kernel.

Both IMA-measurement and IMA-appraisal cache the integrity results and
are dependent on the kernel to detect when a file changes in order to
clear the cached info and force the file to be re-evaluated.  This
detection was dependent on i_version changing.  For filesystems that
do not support i_version, remote or fuse filesystems, where the kernel
does not detect the file change, the file was measured and the
signature evaluated just once.

With commit a2a2c3c8580a ("ima: Use i_version only when filesystem
supports it"), which is being upstreamed in this open window,
i_version is considered an optimization.  If i_version is not enabled,
either because the local filesystem does not support it or the
filesystem wasn't mounted with i_version, the file will now always be
re-evaluated.

That patch does not address FUSE or remote filesystems, as the kernel
does not detect the change.  Further, even if the kernel could detect
the change, FUSE filesystems by definition are untrusted.

The original patches addressed FUSE filesystems, by defining a new IMA
policy option, forcing the file to be re-evaluated based on the
filesystem magic number.  All of the changes were in the IMA
subsystem.  These patches are the result of Christoph's comment on the
original patches saying, "ima has no business looking at either the
name _or_ the magic number."

Your help in resolving this problem is much appreciated!

Mimi

> 
> Cc: linux-kernel@vger.kernel.org
> Cc: linux-integrity@vger.kernel.org
> Cc: linux-security-module@vger.kernel.org
> Cc: linux-fsdevel@vger.kernel.org
> Cc: Miklos Szeredi <miklos@szeredi.hu>
> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
> Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
> Cc: James Morris <jmorris@namei.org>
> Cc: Christoph Hellwig <hch@infradead.org>
> Acked-by: "Serge E. Hallyn" <serge@hallyn.com>
> Acked-by: Seth Forshee <seth.forshee@canonical.com>
> Tested-by: Dongsu Park <dongsu@kinvolk.io>
> Signed-off-by: Alban Crequy <alban@kinvolk.io>
> ---
>  fs/fuse/inode.c    | 2 +-
>  include/linux/fs.h | 1 +
>  2 files changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
> index 624f18bb..0a9e5164 100644
> --- a/fs/fuse/inode.c
> +++ b/fs/fuse/inode.c
> @@ -1205,7 +1205,7 @@ static void fuse_kill_sb_anon(struct super_block *sb)
>  static struct file_system_type fuse_fs_type = {
>  	.owner		= THIS_MODULE,
>  	.name		= "fuse",
> -	.fs_flags	= FS_HAS_SUBTYPE,
> +	.fs_flags	= FS_HAS_SUBTYPE | FS_IMA_NO_CACHE,
>  	.mount		= fuse_mount,
>  	.kill_sb	= fuse_kill_sb_anon,
>  };
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index 511fbaab..ced841ba 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -2075,6 +2075,7 @@ struct file_system_type {
>  #define FS_BINARY_MOUNTDATA	2
>  #define FS_HAS_SUBTYPE		4
>  #define FS_USERNS_MOUNT		8	/* Can be mounted by userns root */
> +#define FS_IMA_NO_CACHE		16	/* Force IMA to re-measure, re-appraise, re-audit files */
>  #define FS_RENAME_DOES_D_MOVE	32768	/* FS will handle d_move() during rename() internally. */
>  	struct dentry *(*mount) (struct file_system_type *, int,
>  		       const char *, void *);