From patchwork Thu Mar 8 20:24:10 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 10269179 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id ECDC96016D for ; Thu, 8 Mar 2018 20:24:37 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DA0CC28768 for ; Thu, 8 Mar 2018 20:24:37 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CEF4929A6E; Thu, 8 Mar 2018 20:24:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7017F28768 for ; Thu, 8 Mar 2018 20:24:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750993AbeCHUYe (ORCPT ); Thu, 8 Mar 2018 15:24:34 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:60478 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751026AbeCHUYc (ORCPT ); Thu, 8 Mar 2018 15:24:32 -0500 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w28K6lZT169552 for ; Thu, 8 Mar 2018 15:24:32 -0500 Received: from e06smtp15.uk.ibm.com (e06smtp15.uk.ibm.com [195.75.94.111]) by mx0b-001b2d01.pphosted.com with ESMTP id 2gkb6gjc2g-1 (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NOT) for ; Thu, 08 Mar 2018 15:24:32 -0500 Received: from localhost by e06smtp15.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 8 Mar 2018 20:24:30 -0000 Received: from b06cxnps4074.portsmouth.uk.ibm.com (9.149.109.196) by e06smtp15.uk.ibm.com (192.168.101.145) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 8 Mar 2018 20:24:26 -0000 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w28KOQ9340435822; Thu, 8 Mar 2018 20:24:26 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 277134C04E; Thu, 8 Mar 2018 20:17:47 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B2F894C040; Thu, 8 Mar 2018 20:17:45 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.82.179]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 8 Mar 2018 20:17:45 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, Mimi Zohar , Miklos Szeredi , Seth Forshee , "Eric W . Biederman" , Dongsu Park , Alban Crequy , "Serge E. Hallyn" Subject: [PATCH v3 4/4] fuse: define the filesystem as untrusted Date: Thu, 8 Mar 2018 15:24:10 -0500 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1520540650-7451-1-git-send-email-zohar@linux.vnet.ibm.com> References: <1520540650-7451-1-git-send-email-zohar@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18030820-0020-0000-0000-000004007316 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18030820-0021-0000-0000-00004294B9E5 Message-Id: <1520540650-7451-5-git-send-email-zohar@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-08_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1803080221 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Files on FUSE can change at any point in time without IMA being able to detect it. The file data read for the file signature verification could be totally different from what is subsequently read, making the signature verification useless. FUSE can be mounted by unprivileged users either today with fusermount installed with setuid, or soon with the upcoming patches to allow FUSE mounts in a non-init user namespace. This patch sets the SB_I_IMA_UNVERIFIABLE_SIGNATURE flag and when appropriate sets the SB_I_UNTRUSTED_MOUNTER flag. Signed-off-by: Mimi Zohar Cc: Miklos Szeredi Cc: Seth Forshee Cc: Eric W. Biederman Cc: Dongsu Park Cc: Alban Crequy Cc: "Serge E. Hallyn" Acked-by: Serge Hallyn Acked-by: "Eric W. Biederman" --- fs/fuse/inode.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c index 624f18bbfd2b..ef309958e060 100644 --- a/fs/fuse/inode.c +++ b/fs/fuse/inode.c @@ -1080,6 +1080,9 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent) sb->s_maxbytes = MAX_LFS_FILESIZE; sb->s_time_gran = 1; sb->s_export_op = &fuse_export_operations; + sb->s_iflags |= SB_I_IMA_UNVERIFIABLE_SIGNATURE; + if (sb->s_user_ns != &init_user_ns) + sb->s_iflags |= SB_I_UNTRUSTED_MOUNTER; file = fget(d.fd); err = -EINVAL;