Received: by 10.223.185.116 with SMTP id b49csp1134553wrg; Sun, 11 Feb 2018 05:20:54 -0800 (PST) X-Google-Smtp-Source: AH8x227PVUgjj5qc/yWDgwR8Ccii0tXBXdYkuc1iWrPW9AGKJksaF+eFu58K3up/Wr3AEjOAc/iz X-Received: by 10.99.60.72 with SMTP id i8mr3128404pgn.399.1518355254593; Sun, 11 Feb 2018 05:20:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518355254; cv=none; d=google.com; s=arc-20160816; b=g5EfNYwHa667yJpCics4CgO1ubGcCB3giFuERIGGFQgs+5QXBLFZhaAHhTKLrlhPIK eZ2c+mCPPOzYNXgiY2cqTc27u0VPYRFSl81k5irNDTMNGQiVzWrlM9iaaLMh3WupRiM8 R7Ky6eLKV7F940QuZCCTSxYVIfVOemsBfGj3ScXidwzDG5NTi7k8NitXGhCYIzx0badw wsNskMaeM4lb/Cbvm6A/5r1MBHMNwFOp+81EXetkvoCT01D5cuOxoAt6MkrkaScLBWbN Fx4tGRiqBNgjQcqAZuRPVds75cJzMKHQ2aYyJ2QfEXsKFOqWtoTkEUDJJetRre83wNDA QNPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-id:mime-version:user-agent :references:message-id:in-reply-to:subject:cc:to:from:date :arc-authentication-results; bh=bQ/osBm+77vqPBkISeDtxPreDNl2u9/zVlQcx5oHlLk=; b=HxqSyxhn3ghhaHn0mxeHkASxuZoW3zVgrrVhNwatzwCE8VzKJ8dXGDpv75qGW0kEdG YfJvMYr/tiWhicprp4ALjB4gPXlBZ3PKNiFMSHV0opljzcyPZsYVsDHey2eNR3W6x0WQ ID2g50RWadUA2cn3bUa4JOSpwr5ysph+8xBoVEmTzGm0+WFzHbXnOglEWDmte8LiXW7b wtxrGrmyYU970qd6IsWTJ9pjo3glr8JXJt2TyhBcUC2xAC4MYmwe1jtHGcAJ6pZRmytQ EO75kth7uP4oi+RNLUUX1OZPxX9mesjdDsyeZ3DulLnbcfGeuJEUoA+8NKaaxitL20QS i0GQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b5si4805664pff.349.2018.02.11.05.20.39; Sun, 11 Feb 2018 05:20:54 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753377AbeBKNUD (ORCPT + 99 others); Sun, 11 Feb 2018 08:20:03 -0500 Received: from namei.org ([65.99.196.166]:48558 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752597AbeBKNUC (ORCPT ); Sun, 11 Feb 2018 08:20:02 -0500 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id w1BDJtGX023624; Sun, 11 Feb 2018 13:19:56 GMT Date: Mon, 12 Feb 2018 00:19:55 +1100 (AEDT) From: James Morris To: Mimi Zohar cc: linux-kernel@vger.kernel.org, Linus Torvalds Subject: Re: [GIT PULL] Integrity: IMA FUSE fixes In-Reply-To: <1518324116.5491.132.camel@linux.vnet.ibm.com> Message-ID: References: <1518324116.5491.132.camel@linux.vnet.ibm.com> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="1665246916-339538886-1518354090=:20189" Content-ID: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --1665246916-339538886-1518354090=:20189 Content-Type: text/plain; CHARSET=ISO-8859-15 Content-Transfer-Encoding: 8BIT Content-ID: On Sat, 10 Feb 2018, Mimi Zohar wrote: > > Which seems *worse* than what we do now, in that it wastes time and > > effort on re-creating those pointless measurements because it disables > > the caching of them. > > > > So honestly, the only sane thing seems to be to disable IMA on fuse, > > not to force it to do even _more_ pointless work. > > > > What am I missing? > > No, you're right. ?The file could change at any time, making the > measurement(s) and by extension signature verification meaningless.? Really? I thought the whole idea of IMA was that it only detects offline tampering and it specifically does not protect against runtime attacks. Any file could change after measurement on a compromised or misconfigured system. e.g. via direct write to the block device. > Custom policy rules could be defined to disable measurement, > appraisal, and audit for files on fuse. ?However, I don't think we > want to automatically disable measurement, even meaningless > measurements. ?Some indication needs to be included for remote > attestation, security analytics, or forensics. ?For systems with > policies that require file signatures even on fuse, the safest thing > would seem to be to fail the signature verification. I don't understand this -- if a file passes signature verification, it passes. If it was modified and still passes, the problem is elsewhere. I don't think the FUSE measurements are inherently useless, or more useless than any others, at least. You can misconfigure all kinds of things on a system which would undermine IMA, and I would count allowing unprivileged use of FUSE with critical files as such. The point of the patches, IIUC, was that FUSE had no useful way to notify IMA that a file had changed, so, always measure. IMA assumes that changes to a running system are made under the control of a correctly enforced security policy. If you're using FUSE and IMA, then you should understand the security implications of that. Or am I missing something? - James -- James Morris --1665246916-339538886-1518354090=:20189--