diff mbox

[v3,4/4] fuse: define the filesystem as untrusted

Message ID 1520540650-7451-5-git-send-email-zohar@linux.vnet.ibm.com (mailing list archive)
State New, archived
Headers show

Commit Message

Mimi Zohar March 8, 2018, 8:24 p.m. UTC
Files on FUSE can change at any point in time without IMA being able
to detect it.  The file data read for the file signature verification
could be totally different from what is subsequently read, making the
signature verification useless.

FUSE can be mounted by unprivileged users either today with fusermount
installed with setuid, or soon with the upcoming patches to allow FUSE
mounts in a non-init user namespace.

This patch sets the SB_I_IMA_UNVERIFIABLE_SIGNATURE flag and when
appropriate sets the SB_I_UNTRUSTED_MOUNTER flag.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Seth Forshee <seth.forshee@canonical.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Dongsu Park <dongsu@kinvolk.io>
Cc: Alban Crequy <alban@kinvolk.io>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
---
 fs/fuse/inode.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Serge E. Hallyn March 12, 2018, 7:29 p.m. UTC | #1
Quoting Mimi Zohar (zohar@linux.vnet.ibm.com):
> Files on FUSE can change at any point in time without IMA being able
> to detect it.  The file data read for the file signature verification
> could be totally different from what is subsequently read, making the
> signature verification useless.
> 
> FUSE can be mounted by unprivileged users either today with fusermount
> installed with setuid, or soon with the upcoming patches to allow FUSE
> mounts in a non-init user namespace.
> 
> This patch sets the SB_I_IMA_UNVERIFIABLE_SIGNATURE flag and when
> appropriate sets the SB_I_UNTRUSTED_MOUNTER flag.
> 
> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> Cc: Miklos Szeredi <miklos@szeredi.hu>
> Cc: Seth Forshee <seth.forshee@canonical.com>
> Cc: Eric W. Biederman <ebiederm@xmission.com>
> Cc: Dongsu Park <dongsu@kinvolk.io>
> Cc: Alban Crequy <alban@kinvolk.io>
> Cc: "Serge E. Hallyn" <serge@hallyn.com>

Acked-by: Serge Hallyn <serge@hallyn.com>

Of course when IMA namespacing hits, you'll want to compare the
sb->s_user_ns to the (~handwaving~) user_ns owning the ima ns
right?

> ---
>  fs/fuse/inode.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
> index 624f18bbfd2b..ef309958e060 100644
> --- a/fs/fuse/inode.c
> +++ b/fs/fuse/inode.c
> @@ -1080,6 +1080,9 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent)
>  	sb->s_maxbytes = MAX_LFS_FILESIZE;
>  	sb->s_time_gran = 1;
>  	sb->s_export_op = &fuse_export_operations;
> +	sb->s_iflags |= SB_I_IMA_UNVERIFIABLE_SIGNATURE;
> +	if (sb->s_user_ns != &init_user_ns)
> +		sb->s_iflags |= SB_I_UNTRUSTED_MOUNTER;
>  
>  	file = fget(d.fd);
>  	err = -EINVAL;
> -- 
> 2.7.5
Stefan Berger March 13, 2018, 2:46 p.m. UTC | #2
On 03/12/2018 03:29 PM, Serge E. Hallyn wrote:
> Quoting Mimi Zohar (zohar@linux.vnet.ibm.com):
>> Files on FUSE can change at any point in time without IMA being able
>> to detect it.  The file data read for the file signature verification
>> could be totally different from what is subsequently read, making the
>> signature verification useless.
>>
>> FUSE can be mounted by unprivileged users either today with fusermount
>> installed with setuid, or soon with the upcoming patches to allow FUSE
>> mounts in a non-init user namespace.
>>
>> This patch sets the SB_I_IMA_UNVERIFIABLE_SIGNATURE flag and when
>> appropriate sets the SB_I_UNTRUSTED_MOUNTER flag.
>>
>> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
>> Cc: Miklos Szeredi <miklos@szeredi.hu>
>> Cc: Seth Forshee <seth.forshee@canonical.com>
>> Cc: Eric W. Biederman <ebiederm@xmission.com>
>> Cc: Dongsu Park <dongsu@kinvolk.io>
>> Cc: Alban Crequy <alban@kinvolk.io>
>> Cc: "Serge E. Hallyn" <serge@hallyn.com>
> Acked-by: Serge Hallyn <serge@hallyn.com>
>
> Of course when IMA namespacing hits, you'll want to compare the
> sb->s_user_ns to the (~handwaving~) user_ns owning the ima ns
> right?

I suppose this would be the only way to enable 'trusted mounters' within 
IMA namespaces. Maybe there could be an additional capability gate that 
would allow one to be a 'trusted mounter' then?

>
>> ---
>>   fs/fuse/inode.c | 3 +++
>>   1 file changed, 3 insertions(+)
>>
>> diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
>> index 624f18bbfd2b..ef309958e060 100644
>> --- a/fs/fuse/inode.c
>> +++ b/fs/fuse/inode.c
>> @@ -1080,6 +1080,9 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent)
>>   	sb->s_maxbytes = MAX_LFS_FILESIZE;
>>   	sb->s_time_gran = 1;
>>   	sb->s_export_op = &fuse_export_operations;
>> +	sb->s_iflags |= SB_I_IMA_UNVERIFIABLE_SIGNATURE;
>> +	if (sb->s_user_ns != &init_user_ns)
>> +		sb->s_iflags |= SB_I_UNTRUSTED_MOUNTER;
>>   
>>   	file = fget(d.fd);
>>   	err = -EINVAL;
>> -- 
>> 2.7.5
Eric W. Biederman March 13, 2018, 7:32 p.m. UTC | #3
Mimi Zohar <zohar@linux.vnet.ibm.com> writes:

> Files on FUSE can change at any point in time without IMA being able
> to detect it.  The file data read for the file signature verification
> could be totally different from what is subsequently read, making the
> signature verification useless.
>
> FUSE can be mounted by unprivileged users either today with fusermount
> installed with setuid, or soon with the upcoming patches to allow FUSE
> mounts in a non-init user namespace.
>
> This patch sets the SB_I_IMA_UNVERIFIABLE_SIGNATURE flag and when
> appropriate sets the SB_I_UNTRUSTED_MOUNTER flag.

Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
>
> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> Cc: Miklos Szeredi <miklos@szeredi.hu>
> Cc: Seth Forshee <seth.forshee@canonical.com>
> Cc: Eric W. Biederman <ebiederm@xmission.com>
> Cc: Dongsu Park <dongsu@kinvolk.io>
> Cc: Alban Crequy <alban@kinvolk.io>
> Cc: "Serge E. Hallyn" <serge@hallyn.com>
> ---
>  fs/fuse/inode.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
> index 624f18bbfd2b..ef309958e060 100644
> --- a/fs/fuse/inode.c
> +++ b/fs/fuse/inode.c
> @@ -1080,6 +1080,9 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent)
>  	sb->s_maxbytes = MAX_LFS_FILESIZE;
>  	sb->s_time_gran = 1;
>  	sb->s_export_op = &fuse_export_operations;
> +	sb->s_iflags |= SB_I_IMA_UNVERIFIABLE_SIGNATURE;
> +	if (sb->s_user_ns != &init_user_ns)
> +		sb->s_iflags |= SB_I_UNTRUSTED_MOUNTER;
>  
>  	file = fget(d.fd);
>  	err = -EINVAL;
Stef Bon March 14, 2018, 7:52 a.m. UTC | #4
I do not have any comments about the patches but a question.
I completely agree that the files can change without the VFS knowing
about it, but isn't that in general the case with filesystems with a
backend shared with others (network fs's?).

Stef
Mimi Zohar March 14, 2018, 1:01 p.m. UTC | #5
On Wed, 2018-03-14 at 08:52 +0100, Stef Bon wrote:
> I do not have any comments about the patches but a question.
> I completely agree that the files can change without the VFS knowing
> about it, but isn't that in general the case with filesystems with a
> backend shared with others (network fs's?).

Right, the problem is not limited to fuse, but needs to be addressed
before unprivileged fuse mounts are upstreamed.

Alban's response to this question:
https://marc.info/?l=linux-kernel&m=151784020321045&w=2

Mimi
Serge E. Hallyn March 14, 2018, 2:27 p.m. UTC | #6
Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):
> On 03/12/2018 03:29 PM, Serge E. Hallyn wrote:
> >Quoting Mimi Zohar (zohar@linux.vnet.ibm.com):
> >>Files on FUSE can change at any point in time without IMA being able
> >>to detect it.  The file data read for the file signature verification
> >>could be totally different from what is subsequently read, making the
> >>signature verification useless.
> >>
> >>FUSE can be mounted by unprivileged users either today with fusermount
> >>installed with setuid, or soon with the upcoming patches to allow FUSE
> >>mounts in a non-init user namespace.
> >>
> >>This patch sets the SB_I_IMA_UNVERIFIABLE_SIGNATURE flag and when
> >>appropriate sets the SB_I_UNTRUSTED_MOUNTER flag.
> >>
> >>Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> >>Cc: Miklos Szeredi <miklos@szeredi.hu>
> >>Cc: Seth Forshee <seth.forshee@canonical.com>
> >>Cc: Eric W. Biederman <ebiederm@xmission.com>
> >>Cc: Dongsu Park <dongsu@kinvolk.io>
> >>Cc: Alban Crequy <alban@kinvolk.io>
> >>Cc: "Serge E. Hallyn" <serge@hallyn.com>
> >Acked-by: Serge Hallyn <serge@hallyn.com>
> >
> >Of course when IMA namespacing hits, you'll want to compare the
> >sb->s_user_ns to the (~handwaving~) user_ns owning the ima ns
> >right?
> 
> I suppose this would be the only way to enable 'trusted mounters'
> within IMA namespaces. Maybe there could be an additional capability
> gate that would allow one to be a 'trusted mounter' then?

Wouldn't CAP_SYS_ADMIN to the ima_ns->user_ns suffice?

I personally think CAP_INTEGRITY would make sense, but right
now CAP_SYS_ADMIN seems to suffice so it wouldn't make sense to
raise the bar there unless we raise it for all of IMA configuration.

-serge
Stefan Berger March 14, 2018, 2:37 p.m. UTC | #7
On 03/14/2018 10:27 AM, Serge E. Hallyn wrote:
> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):
>> On 03/12/2018 03:29 PM, Serge E. Hallyn wrote:
>>> Quoting Mimi Zohar (zohar@linux.vnet.ibm.com):
>>>> Files on FUSE can change at any point in time without IMA being able
>>>> to detect it.  The file data read for the file signature verification
>>>> could be totally different from what is subsequently read, making the
>>>> signature verification useless.
>>>>
>>>> FUSE can be mounted by unprivileged users either today with fusermount
>>>> installed with setuid, or soon with the upcoming patches to allow FUSE
>>>> mounts in a non-init user namespace.
>>>>
>>>> This patch sets the SB_I_IMA_UNVERIFIABLE_SIGNATURE flag and when
>>>> appropriate sets the SB_I_UNTRUSTED_MOUNTER flag.
>>>>
>>>> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
>>>> Cc: Miklos Szeredi <miklos@szeredi.hu>
>>>> Cc: Seth Forshee <seth.forshee@canonical.com>
>>>> Cc: Eric W. Biederman <ebiederm@xmission.com>
>>>> Cc: Dongsu Park <dongsu@kinvolk.io>
>>>> Cc: Alban Crequy <alban@kinvolk.io>
>>>> Cc: "Serge E. Hallyn" <serge@hallyn.com>
>>> Acked-by: Serge Hallyn <serge@hallyn.com>
>>>
>>> Of course when IMA namespacing hits, you'll want to compare the
>>> sb->s_user_ns to the (~handwaving~) user_ns owning the ima ns
>>> right?
>> I suppose this would be the only way to enable 'trusted mounters'
>> within IMA namespaces. Maybe there could be an additional capability
>> gate that would allow one to be a 'trusted mounter' then?
> Wouldn't CAP_SYS_ADMIN to the ima_ns->user_ns suffice?
>
> I personally think CAP_INTEGRITY would make sense, but right
> now CAP_SYS_ADMIN seems to suffice so it wouldn't make sense to
> raise the bar there unless we raise it for all of IMA configuration.

So for IMA namespacing we may want to avoid CAP_SYS_ADMIN and introduce 
one or more capabilities to:

- set security xattrs from inside the container (when building the 
container for example, maybe also during runtime)
- access IMA's securityfs entries 
(https://elixir.bootlin.com/linux/latest/source/security/integrity/ima/ima_fs.c#L391) 
from inside the container for reading/writing the policy  (during run-time)
- then possibly mounting a trusted filesystem via fuse

    Stefan

>
> -serge
>
Eric W. Biederman March 14, 2018, 4:17 p.m. UTC | #8
Mimi Zohar <zohar@linux.vnet.ibm.com> writes:

> On Wed, 2018-03-14 at 08:52 +0100, Stef Bon wrote:
>> I do not have any comments about the patches but a question.
>> I completely agree that the files can change without the VFS knowing
>> about it, but isn't that in general the case with filesystems with a
>> backend shared with others (network fs's?).
>
> Right, the problem is not limited to fuse, but needs to be addressed
> before unprivileged fuse mounts are upstreamed.
>
> Alban's response to this question:
> https://marc.info/?l=linux-kernel&m=151784020321045&w=2

Which goes to why it is a flag that get's set.

All of this just needs a follow-up patch to update every filesystem
that does not meet ima's requirements.

Mimi I believe you said that the requirement is that all file changes
can be detected through the final __fput of a file that calls
ima_file_free.

Eric
Mimi Zohar March 14, 2018, 5:50 p.m. UTC | #9
On Wed, 2018-03-14 at 11:17 -0500, Eric W. Biederman wrote:
> Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
> 
> > On Wed, 2018-03-14 at 08:52 +0100, Stef Bon wrote:
> >> I do not have any comments about the patches but a question.
> >> I completely agree that the files can change without the VFS knowing
> >> about it, but isn't that in general the case with filesystems with a
> >> backend shared with others (network fs's?).
> >
> > Right, the problem is not limited to fuse, but needs to be addressed
> > before unprivileged fuse mounts are upstreamed.
> >
> > Alban's response to this question:
> > https://marc.info/?l=linux-kernel&m=151784020321045&w=2
> 
> Which goes to why it is a flag that get's set.
> 
> All of this just needs a follow-up patch to update every filesystem
> that does not meet ima's requirements.

Currently files on remote filesystems are measured/appraised/audited
once.  With the new flags, our options would be to either fail the
signature verification or constantly re-measure/re-appraise files on
remote file systems.  Neither option seems like the right solution.

There's some very initial discussions on how to support file integrity
on remote filesystems.  Chuck Lever has some thoughts on piggy-backing 
on the fs-verity work being done.  From a very, very high level, IMA-
appraisal would verify the file signature, but leave the integrity
enforcement to the vfs/fs layer.  By integrating fs-verity or similar
proposal with IMA, measurements would be included in the measurement
list and keys used for file signature verification would use the same
existing IMA-appraisal infrastructure.

> Mimi I believe you said that the requirement is that all file changes
> can be detected through the final __fput of a file that calls
> ima_file_free.

Right, like for fuse, I don't believe this existing hook works for
remote filesystems.

Mimi
Chuck Lever March 14, 2018, 6:08 p.m. UTC | #10
> On Mar 14, 2018, at 1:50 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> 
> On Wed, 2018-03-14 at 11:17 -0500, Eric W. Biederman wrote:
>> Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
>> 
>>> On Wed, 2018-03-14 at 08:52 +0100, Stef Bon wrote:
>>>> I do not have any comments about the patches but a question.
>>>> I completely agree that the files can change without the VFS knowing
>>>> about it, but isn't that in general the case with filesystems with a
>>>> backend shared with others (network fs's?).
>>> 
>>> Right, the problem is not limited to fuse, but needs to be addressed
>>> before unprivileged fuse mounts are upstreamed.
>>> 
>>> Alban's response to this question:
>>> https://marc.info/?l=linux-kernel&m=151784020321045&w=2
>> 
>> Which goes to why it is a flag that get's set.
>> 
>> All of this just needs a follow-up patch to update every filesystem
>> that does not meet ima's requirements.
> 
> Currently files on remote filesystems are measured/appraised/audited
> once.  With the new flags, our options would be to either fail the
> signature verification or constantly re-measure/re-appraise files on
> remote file systems.  Neither option seems like the right solution.

Being new to this game, I may be making a bad assumption, but I thought
that the (NFSv4) change attribute can be used to detect remote mutations
to a file's content or metadata, so that the appraisal could be cached
as long as that attribute does not change. At least for NFSv4, clients
assume their data cache is valid while the change attribute remains the
same.

NFSv4 (and SMB) also has a mechanism where a server guarantees it will
report any other clients that want to update a file. This is an NFSv4
read delegation or an SMB oplock. NFSv4 clients use this mechanism to
cache file data quite aggressively, and it could also be used to
preserve or cache audit state on remote files.


> There's some very initial discussions on how to support file integrity
> on remote filesystems.  Chuck Lever has some thoughts on piggy-backing 
> on the fs-verity work being done.  From a very, very high level, IMA-
> appraisal would verify the file signature, but leave the integrity
> enforcement to the vfs/fs layer.  By integrating fs-verity or similar
> proposal with IMA, measurements would be included in the measurement
> list and keys used for file signature verification would use the same
> existing IMA-appraisal infrastructure.

>> Mimi I believe you said that the requirement is that all file changes
>> can be detected through the final __fput of a file that calls
>> ima_file_free.
> 
> Right, like for fuse, I don't believe this existing hook works for
> remote filesystems.
> 
> Mimi

--
Chuck Lever
Eric W. Biederman March 14, 2018, 7:46 p.m. UTC | #11
Chuck Lever <chuck.lever@oracle.com> writes:

>> On Mar 14, 2018, at 1:50 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>> 
>> On Wed, 2018-03-14 at 11:17 -0500, Eric W. Biederman wrote:
>>> Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
>>> 
>>>> On Wed, 2018-03-14 at 08:52 +0100, Stef Bon wrote:
>>>>> I do not have any comments about the patches but a question.
>>>>> I completely agree that the files can change without the VFS knowing
>>>>> about it, but isn't that in general the case with filesystems with a
>>>>> backend shared with others (network fs's?).
>>>> 
>>>> Right, the problem is not limited to fuse, but needs to be addressed
>>>> before unprivileged fuse mounts are upstreamed.
>>>> 
>>>> Alban's response to this question:
>>>> https://marc.info/?l=linux-kernel&m=151784020321045&w=2
>>> 
>>> Which goes to why it is a flag that get's set.
>>> 
>>> All of this just needs a follow-up patch to update every filesystem
>>> that does not meet ima's requirements.
>> 
>> Currently files on remote filesystems are measured/appraised/audited
>> once.  With the new flags, our options would be to either fail the
>> signature verification or constantly re-measure/re-appraise files on
>> remote file systems.  Neither option seems like the right solution.

They are measured/appraised/audited once, and you can not trust that at
all because you don't know when the files are going to be different.

So either keeping the filesystem out of the ima game or failing sounds
like the right answer to me.  At least until you can get better
information from the filesystem.

> Being new to this game, I may be making a bad assumption, but I thought
> that the (NFSv4) change attribute can be used to detect remote mutations
> to a file's content or metadata, so that the appraisal could be cached
> as long as that attribute does not change. At least for NFSv4, clients
> assume their data cache is valid while the change attribute remains the
> same.
>
> NFSv4 (and SMB) also has a mechanism where a server guarantees it will
> report any other clients that want to update a file. This is an NFSv4
> read delegation or an SMB oplock. NFSv4 clients use this mechanism to
> cache file data quite aggressively, and it could also be used to
> preserve or cache audit state on remote files.

The file data invalid message, plus trusting the server, is what
would be needed for reliably caching the validity of the file.

>> There's some very initial discussions on how to support file integrity
>> on remote filesystems.  Chuck Lever has some thoughts on piggy-backing 
>> on the fs-verity work being done.  From a very, very high level, IMA-
>> appraisal would verify the file signature, but leave the integrity
>> enforcement to the vfs/fs layer.  By integrating fs-verity or similar
>> proposal with IMA, measurements would be included in the measurement
>> list and keys used for file signature verification would use the same
>> existing IMA-appraisal infrastructure.
>
>>> Mimi I believe you said that the requirement is that all file changes
>>> can be detected through the final __fput of a file that calls
>>> ima_file_free.
>> 
>> Right, like for fuse, I don't believe this existing hook works for
>> remote filesystems.

I am trying to understand things.

- I believe the beginning of any file write should invalidate the
  validity of the files cache.  IMA does something like that by looking
  at i_writecount.

- As I read the code ima_file_free triggers an update of the ima xattr
  and that update needs to wait until the file is quiescent.  AKA no
  more writers.  I am not certain how you get that in a remote
  filesystem.

  If the write is not coming from the local kernel I don't see how it
  makes any sense for IMA to actually update the xattr on write.

Eric
Chuck Lever March 14, 2018, 8:34 p.m. UTC | #12
> On Mar 14, 2018, at 3:46 PM, ebiederm@xmission.com wrote:
> 
> Chuck Lever <chuck.lever@oracle.com> writes:
> 
>>> On Mar 14, 2018, at 1:50 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>>> 
>>> On Wed, 2018-03-14 at 11:17 -0500, Eric W. Biederman wrote:
>>>> Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
>>>> 
>>>>> On Wed, 2018-03-14 at 08:52 +0100, Stef Bon wrote:
>>>>>> I do not have any comments about the patches but a question.
>>>>>> I completely agree that the files can change without the VFS knowing
>>>>>> about it, but isn't that in general the case with filesystems with a
>>>>>> backend shared with others (network fs's?).
>>>>> 
>>>>> Right, the problem is not limited to fuse, but needs to be addressed
>>>>> before unprivileged fuse mounts are upstreamed.
>>>>> 
>>>>> Alban's response to this question:
>>>>> https://marc.info/?l=linux-kernel&m=151784020321045&w=2
>>>> 
>>>> Which goes to why it is a flag that get's set.
>>>> 
>>>> All of this just needs a follow-up patch to update every filesystem
>>>> that does not meet ima's requirements.
>>> 
>>> Currently files on remote filesystems are measured/appraised/audited
>>> once.  With the new flags, our options would be to either fail the
>>> signature verification or constantly re-measure/re-appraise files on
>>> remote file systems.  Neither option seems like the right solution.
> 
> They are measured/appraised/audited once, and you can not trust that at
> all because you don't know when the files are going to be different.
> 
> So either keeping the filesystem out of the ima game or failing sounds
> like the right answer to me.  At least until you can get better
> information from the filesystem.
> 
>> Being new to this game, I may be making a bad assumption, but I thought
>> that the (NFSv4) change attribute can be used to detect remote mutations
>> to a file's content or metadata, so that the appraisal could be cached
>> as long as that attribute does not change. At least for NFSv4, clients
>> assume their data cache is valid while the change attribute remains the
>> same.
>> 
>> NFSv4 (and SMB) also has a mechanism where a server guarantees it will
>> report any other clients that want to update a file. This is an NFSv4
>> read delegation or an SMB oplock. NFSv4 clients use this mechanism to
>> cache file data quite aggressively, and it could also be used to
>> preserve or cache audit state on remote files.
> 
> The file data invalid message, plus trusting the server, is what
> would be needed for reliably caching the validity of the file.

What establishes client trust in the server? I'm probably missing
something.

The NFS protocol can convey the contents of the file, it's attributes,
and the contents of the security.ima and security.evm xattrs. The xattrs
contain cryptographically signed integrity metadata, which I presume
cannot be altered undetectably either at rest or in transit. The client
has everything it needs to measure that file, doesn't it, as long as it
has the correct set of keys to verify the signatures?

Likely I am naive, but it seems to me a file server does not have to
participate in this process, other than to store and return IMA xattrs
along with the file content. All participating clients would need to
carry the same set of keys, however.

Please tell me if I'm hijacking the thread.


>>> There's some very initial discussions on how to support file integrity
>>> on remote filesystems.  Chuck Lever has some thoughts on piggy-backing 
>>> on the fs-verity work being done.  From a very, very high level, IMA-
>>> appraisal would verify the file signature, but leave the integrity
>>> enforcement to the vfs/fs layer.  By integrating fs-verity or similar
>>> proposal with IMA, measurements would be included in the measurement
>>> list and keys used for file signature verification would use the same
>>> existing IMA-appraisal infrastructure.
>> 
>>>> Mimi I believe you said that the requirement is that all file changes
>>>> can be detected through the final __fput of a file that calls
>>>> ima_file_free.
>>> 
>>> Right, like for fuse, I don't believe this existing hook works for
>>> remote filesystems.
> 
> I am trying to understand things.
> 
> - I believe the beginning of any file write should invalidate the
>  validity of the files cache.  IMA does something like that by looking
>  at i_writecount.
> 
> - As I read the code ima_file_free triggers an update of the ima xattr
>  and that update needs to wait until the file is quiescent.  AKA no
>  more writers.  I am not certain how you get that in a remote
>  filesystem.

With NFSv4, a read delegation is sufficient to guarantee that the
client is the only writer. The mechanism varies (or can be absent)
for other remote filesystem protocols. And, an NFSv4 server is not
obligated to always provide a delegation.

An NFSv4 client can also OPEN a file with share deny modes. That
would prevent other clients from accessing the file while the IMA
metadata was recomputed. Again, I believe something similar would
work for SMB3, but might not be applicable to other remote file-
system protocols (eg NFSv3 does not have all this magic).

However, computing a fresh IMA xattr would require access to the
whole file. For a large file, a client would have to read it from
the file server in its entirety, unless the file server offloads
this computation from the client somehow. The server would need to
wait until that client had CLOSEd the file to ensure that the
client had no more cached dirty data, and at that point the server
can itself guarantee there are no other remote accessors.


>  If the write is not coming from the local kernel I don't see how it
>  makes any sense for IMA to actually update the xattr on write.
> 
> Eric

--
Chuck Lever
Eric W. Biederman March 14, 2018, 9:42 p.m. UTC | #13
Chuck Lever <chuck.lever@oracle.com> writes:

>> On Mar 14, 2018, at 3:46 PM, ebiederm@xmission.com wrote:
>> 
>> Chuck Lever <chuck.lever@oracle.com> writes:
>> 
>>>> On Mar 14, 2018, at 1:50 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>>>> 
>>>> On Wed, 2018-03-14 at 11:17 -0500, Eric W. Biederman wrote:
>>>>> Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
>>>>> 
>>>>>> On Wed, 2018-03-14 at 08:52 +0100, Stef Bon wrote:
>>>>>>> I do not have any comments about the patches but a question.
>>>>>>> I completely agree that the files can change without the VFS knowing
>>>>>>> about it, but isn't that in general the case with filesystems with a
>>>>>>> backend shared with others (network fs's?).
>>>>>> 
>>>>>> Right, the problem is not limited to fuse, but needs to be addressed
>>>>>> before unprivileged fuse mounts are upstreamed.
>>>>>> 
>>>>>> Alban's response to this question:
>>>>>> https://marc.info/?l=linux-kernel&m=151784020321045&w=2
>>>>> 
>>>>> Which goes to why it is a flag that get's set.
>>>>> 
>>>>> All of this just needs a follow-up patch to update every filesystem
>>>>> that does not meet ima's requirements.
>>>> 
>>>> Currently files on remote filesystems are measured/appraised/audited
>>>> once.  With the new flags, our options would be to either fail the
>>>> signature verification or constantly re-measure/re-appraise files on
>>>> remote file systems.  Neither option seems like the right solution.
>> 
>> They are measured/appraised/audited once, and you can not trust that at
>> all because you don't know when the files are going to be different.
>> 
>> So either keeping the filesystem out of the ima game or failing sounds
>> like the right answer to me.  At least until you can get better
>> information from the filesystem.
>> 
>>> Being new to this game, I may be making a bad assumption, but I thought
>>> that the (NFSv4) change attribute can be used to detect remote mutations
>>> to a file's content or metadata, so that the appraisal could be cached
>>> as long as that attribute does not change. At least for NFSv4, clients
>>> assume their data cache is valid while the change attribute remains the
>>> same.
>>> 
>>> NFSv4 (and SMB) also has a mechanism where a server guarantees it will
>>> report any other clients that want to update a file. This is an NFSv4
>>> read delegation or an SMB oplock. NFSv4 clients use this mechanism to
>>> cache file data quite aggressively, and it could also be used to
>>> preserve or cache audit state on remote files.
>> 
>> The file data invalid message, plus trusting the server, is what
>> would be needed for reliably caching the validity of the file.
>
> What establishes client trust in the server? I'm probably missing
> something.

In this case I mean trust as in the believe that the server is not
actively trying to subvert the guarantees that IMA is depending upon.

One such guarantee is that if data is dropped from the page cache and
reread it will be the same data (unless the server let's you know).
AKA IMA needs to trust that the cache coherency protocol is implemented
honestly.

Except for the case of something like fusermount that is the standard
assumption today.  That the filesystem is not actively trying to trip
up the kernel.

> The NFS protocol can convey the contents of the file, it's attributes,
> and the contents of the security.ima and security.evm xattrs. The xattrs
> contain cryptographically signed integrity metadata, which I presume
> cannot be altered undetectably either at rest or in transit. The client
> has everything it needs to measure that file, doesn't it, as long as it
> has the correct set of keys to verify the signatures?
>
> Likely I am naive, but it seems to me a file server does not have to
> participate in this process, other than to store and return IMA xattrs
> along with the file content. All participating clients would need to
> carry the same set of keys, however.
>
> Please tell me if I'm hijacking the thread.

Unless something brings us to non-consensus about the patches to merge
we are good.  I think this is an area that need some discussion.

The big big thing right now, as I understand it, is these mechanisms that
nfs uses to keep the cache in sync are not clearly reflected in the vfs
in a way that ima can take advantage of them.


Please note I am stretching what we can do with the vfs in the kernel,
but working on unprivileged fuse mounts.  This has me asking all are
our kernel mechanisms ok if the server is actively hostile.  What
happens if the server on the first read returns an innocuous file that
matches it's ima xattr, but on the next read of the file returns an evil
trojan horse.  Or what if the server implements a cache coherency
protocol but lies and does not report all of the changes to a file.

Which is what got this conversation started in the first place
discovering that unprivileged fuse+xattrs is not something people have
looked at closely.

A side effect of the conversation is realizing that remote filesystems
have many of the same issues, but we can trust that the remote
filesystems are not actively hostile.  They just happen to not maintain
all of the same invariants as local filesystems (like all modifications
go through the local kernel).  Which leads to the implication that we
need some of these mechanisms on filesystems like nfs as well.

>>>> There's some very initial discussions on how to support file integrity
>>>> on remote filesystems.  Chuck Lever has some thoughts on piggy-backing 
>>>> on the fs-verity work being done.  From a very, very high level, IMA-
>>>> appraisal would verify the file signature, but leave the integrity
>>>> enforcement to the vfs/fs layer.  By integrating fs-verity or similar
>>>> proposal with IMA, measurements would be included in the measurement
>>>> list and keys used for file signature verification would use the same
>>>> existing IMA-appraisal infrastructure.
>>> 
>>>>> Mimi I believe you said that the requirement is that all file changes
>>>>> can be detected through the final __fput of a file that calls
>>>>> ima_file_free.
>>>> 
>>>> Right, like for fuse, I don't believe this existing hook works for
>>>> remote filesystems.
>> 
>> I am trying to understand things.
>> 
>> - I believe the beginning of any file write should invalidate the
>>  validity of the files cache.  IMA does something like that by looking
>>  at i_writecount.
>> 
>> - As I read the code ima_file_free triggers an update of the ima xattr
>>  and that update needs to wait until the file is quiescent.  AKA no
>>  more writers.  I am not certain how you get that in a remote
>>  filesystem.
>
> With NFSv4, a read delegation is sufficient to guarantee that the
> client is the only writer. The mechanism varies (or can be absent)
> for other remote filesystem protocols. And, an NFSv4 server is not
> obligated to always provide a delegation.
>
> An NFSv4 client can also OPEN a file with share deny modes. That
> would prevent other clients from accessing the file while the IMA
> metadata was recomputed. Again, I believe something similar would
> work for SMB3, but might not be applicable to other remote file-
> system protocols (eg NFSv3 does not have all this magic).
>
> However, computing a fresh IMA xattr would require access to the
> whole file. For a large file, a client would have to read it from
> the file server in its entirety, unless the file server offloads
> this computation from the client somehow. The server would need to
> wait until that client had CLOSEd the file to ensure that the
> client had no more cached dirty data, and at that point the server
> can itself guarantee there are no other remote accessors.

Which sounds to me like all of this is implementable if desired,
but that ima is not currently tied into these mechanisms.  Which
I expect is the next step.

Eric
Michael Halcrow March 14, 2018, 10:53 p.m. UTC | #14
On Wed, Mar 14, 2018 at 04:42:51PM -0500, Eric W. Biederman wrote:
> In this case I mean trust as in the believe that the server is not
> actively trying to subvert the guarantees that IMA is depending
> upon.

The fs-verity adversarial model we're targeting includes a malicious
layer backing the local file system inode's page cache.

For example, the malicious layer can be a drive controller with
trojaned firmware or a compromised remote server.

> What happens if the server on the first read returns an innocuous
> file that matches it's ima xattr, but on the next read of the file
> returns an evil trojan horse.  Or what if the server implements a
> cache coherency protocol but lies and does not report all of the
> changes to a file.

fs-verity validates each page in the inode's page cache against the
inode's root-of-trust every time the page is read into the cache.

The signature mechanism on the root-of-trust must bind the inode
identity.

The initial version of fs-verity supports Secure Boot, and the TCB
validates each inode identity in the mount during the boot process.
fs-verity does this via an ioctl that provisions the fs-verity
measurement, causing the inode (along with its immutable measurement)
to be pinned by the superblock for the life of the mount.  This meets
requirements for the Android platform's use case, which only needs to
cover about 15 APKs during boot.

This doesn't scale.  Future work will include integration with PKCS7
and/or IMA.  Signatures will be dynamically verifiable against a key
or keys in the TCB, and I'd like to establish a safe way to avoid
having to pin inodes and their measurements.
Stef Bon March 15, 2018, 10:07 a.m. UTC | #15
2018-03-14 22:42 GMT+01:00 Eric W. Biederman <ebiederm@xmission.com>:
>>
>> Please tell me if I'm hijacking the thread.
>
> Unless something brings us to non-consensus about the patches to merge
> we are good.  I think this is an area that need some discussion.
>
> The big big thing right now, as I understand it, is these mechanisms that
> nfs uses to keep the cache in sync are not clearly reflected in the vfs
> in a way that ima can take advantage of them.
>
>

Chuck you mean fschange notifications methods like
NT_TRANSACT_NOTIFY_CHANGE for cifs. I believe that NFS4 has something simular.
These mechanism will inform the client when a file in a watched
directory is changed.
This is not yet supported in Linux (these methods are not triggered
any way when setting a watch using inotify for exmple).
There was support with dnotify
(https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/fs/cifs/cifssmb.c#n6393).

But these methods are triggered by the user and not the VFS/kernel and
therefore cannot garantee that all files on the client
are the same as on the server.
This also counts for a read delegation with nfs and methods like
leases in a client server environment.

Stef
Chuck Lever March 15, 2018, 1:53 p.m. UTC | #16
Hi Stef-

> On Mar 15, 2018, at 6:07 AM, Stef Bon <stefbon@gmail.com> wrote:
> 
> 2018-03-14 22:42 GMT+01:00 Eric W. Biederman <ebiederm@xmission.com>:
>>> 
>>> Please tell me if I'm hijacking the thread.
>> 
>> Unless something brings us to non-consensus about the patches to merge
>> we are good.  I think this is an area that need some discussion.
>> 
>> The big big thing right now, as I understand it, is these mechanisms that
>> nfs uses to keep the cache in sync are not clearly reflected in the vfs
>> in a way that ima can take advantage of them.
>> 
>> 
> 
> Chuck you mean fschange notifications methods like
> NT_TRANSACT_NOTIFY_CHANGE for cifs.

No, I don't mean notification. That's a different mechanism entirely.

NFSv4 delegations are similar to SMB oplocks. It's a protocol
guarantee that the server will tell the client that holds a delegation
when another client wants conflicting access to a file. The client
then has an opportunity to update the file with anything it has cached
and then the client releases the delegation. Servers have the option
of granting a delegation for a file when it is OPENed.

NFSv4 OPEN with share deny is similar to the way that SMB does OPENs.
When a user OPENs a file this way, no other user or client is allowed
to access it until the user CLOSEs the file.


> I believe that NFS4 has something simular.
> These mechanism will inform the client when a file in a watched
> directory is changed.
> This is not yet supported in Linux (these methods are not triggered
> any way when setting a watch using inotify for exmple).
> There was support with dnotify
> (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/fs/cifs/cifssmb.c#n6393).
> 
> But these methods are triggered by the user and not the VFS/kernel and
> therefore cannot garantee that all files on the client
> are the same as on the server.
> This also counts for a read delegation with nfs and methods like
> leases in a client server environment.
> 
> Stef

--
Chuck Lever
Mimi Zohar March 15, 2018, 9:24 p.m. UTC | #17
On Wed, 2018-03-14 at 15:53 -0700, Michael Halcrow wrote:
> On Wed, Mar 14, 2018 at 04:42:51PM -0500, Eric W. Biederman wrote:
> > In this case I mean trust as in the believe that the server is not
> > actively trying to subvert the guarantees that IMA is depending
> > upon.
> 
> The fs-verity adversarial model we're targeting includes a malicious
> layer backing the local file system inode's page cache.
> 
> For example, the malicious layer can be a drive controller with
> trojaned firmware or a compromised remote server.
> 
> > What happens if the server on the first read returns an innocuous
> > file that matches it's ima xattr, but on the next read of the file
> > returns an evil trojan horse.  Or what if the server implements a
> > cache coherency protocol but lies and does not report all of the
> > changes to a file.
> 
> fs-verity validates each page in the inode's page cache against the
> inode's root-of-trust every time the page is read into the cache.
> 
> The signature mechanism on the root-of-trust must bind the inode
> identity.
> 
> The initial version of fs-verity supports Secure Boot, and the TCB
> validates each inode identity in the mount during the boot process.
> fs-verity does this via an ioctl that provisions the fs-verity
> measurement, causing the inode (along with its immutable measurement)
> to be pinned by the superblock for the life of the mount.  This meets
> requirements for the Android platform's use case, which only needs to
> cover about 15 APKs during boot.
> 
> This doesn't scale.  Future work will include integration with PKCS7
> and/or IMA.  Signatures will be dynamically verifiable against a key
> or keys in the TCB, and I'd like to establish a safe way to avoid
> having to pin inodes and their measurements.

Next steps should also include identifying methods for storing and
transporting the Merkle tree signature without having to read the
entire file for remote filesystems.

With this fs support, signed files on file systems mounted with the
 SB_I_IMA_UNVERIFIABLE_SIGNATURE flag would then be verifiable.  

Mimi
Mimi Zohar March 15, 2018, 10:05 p.m. UTC | #18
On Wed, 2018-03-14 at 14:46 -0500, Eric W. Biederman wrote:
> Chuck Lever <chuck.lever@oracle.com> writes:
> 
> >> On Mar 14, 2018, at 1:50 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> >> 
> >> On Wed, 2018-03-14 at 11:17 -0500, Eric W. Biederman wrote:
> >>> Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
> >>> 
> >>>> On Wed, 2018-03-14 at 08:52 +0100, Stef Bon wrote:
> >>>>> I do not have any comments about the patches but a question.
> >>>>> I completely agree that the files can change without the VFS knowing
> >>>>> about it, but isn't that in general the case with filesystems with a
> >>>>> backend shared with others (network fs's?).
> >>>> 
> >>>> Right, the problem is not limited to fuse, but needs to be addressed
> >>>> before unprivileged fuse mounts are upstreamed.
> >>>> 
> >>>> Alban's response to this question:
> >>>> https://marc.info/?l=linux-kernel&m=151784020321045&w=2
> >>> 
> >>> Which goes to why it is a flag that get's set.
> >>> 
> >>> All of this just needs a follow-up patch to update every filesystem
> >>> that does not meet ima's requirements.
> >> 
> >> Currently files on remote filesystems are measured/appraised/audited
> >> once.  With the new flags, our options would be to either fail the
> >> signature verification or constantly re-measure/re-appraise files on
> >> remote file systems.  Neither option seems like the right solution.
> 
> They are measured/appraised/audited once, and you can not trust that at
> all because you don't know when the files are going to be different.
> 
> So either keeping the filesystem out of the ima game or failing sounds
> like the right answer to me.  At least until you can get better
> information from the filesystem.

Agreed

> 
> > Being new to this game, I may be making a bad assumption, but I thought
> > that the (NFSv4) change attribute can be used to detect remote mutations
> > to a file's content or metadata, so that the appraisal could be cached
> > as long as that attribute does not change. At least for NFSv4, clients
> > assume their data cache is valid while the change attribute remains the
> > same.
> >
> > NFSv4 (and SMB) also has a mechanism where a server guarantees it will
> > report any other clients that want to update a file. This is an NFSv4
> > read delegation or an SMB oplock. NFSv4 clients use this mechanism to
> > cache file data quite aggressively, and it could also be used to
> > preserve or cache audit state on remote files.
> 
> The file data invalid message, plus trusting the server, is what
> would be needed for reliably caching the validity of the file.
> 
> >> There's some very initial discussions on how to support file integrity
> >> on remote filesystems.  Chuck Lever has some thoughts on piggy-backing 
> >> on the fs-verity work being done.  From a very, very high level, IMA-
> >> appraisal would verify the file signature, but leave the integrity
> >> enforcement to the vfs/fs layer.  By integrating fs-verity or similar
> >> proposal with IMA, measurements would be included in the measurement
> >> list and keys used for file signature verification would use the same
> >> existing IMA-appraisal infrastructure.
> >
> >>> Mimi I believe you said that the requirement is that all file changes
> >>> can be detected through the final __fput of a file that calls
> >>> ima_file_free.
> >> 
> >> Right, like for fuse, I don't believe this existing hook works for
> >> remote filesystems.
> 
> I am trying to understand things.
> 
> - I believe the beginning of any file write should invalidate the
>   validity of the files cache.  IMA does something like that by looking
>   at i_writecount.

Unless we're willing to recalculate the file hash and update the
security xattr each time the file changes, invalidating the IMA cache
on the first write would result in any subsequent file opens failing.

> - As I read the code ima_file_free triggers an update of the ima xattr
>   and that update needs to wait until the file is quiescent.  AKA no
>   more writers.  I am not certain how you get that in a remote
>   filesystem.
> 
>   If the write is not coming from the local kernel I don't see how it
>   makes any sense for IMA to actually update the xattr on write.

Agreed, it doesn't.

Mimi
Mimi Zohar March 19, 2018, 11:57 a.m. UTC | #19
Hi Miklos,

On Tue, 2018-03-13 at 14:32 -0500, Eric W. Biederman wrote:
> Mimi Zohar <zohar@linux.vnet.ibm.com> writes:
> 
> > Files on FUSE can change at any point in time without IMA being able
> > to detect it.  The file data read for the file signature verification
> > could be totally different from what is subsequently read, making the
> > signature verification useless.
> >
> > FUSE can be mounted by unprivileged users either today with fusermount
> > installed with setuid, or soon with the upcoming patches to allow FUSE
> > mounts in a non-init user namespace.
> >
> > This patch sets the SB_I_IMA_UNVERIFIABLE_SIGNATURE flag and when
> > appropriate sets the SB_I_UNTRUSTED_MOUNTER flag.
> 
> Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>

There's been a number of changes since the original version of this
patch set.  I would appreciate your Ack for this version?

Thanks,

Mimi


> >
> > Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> > Cc: Miklos Szeredi <miklos@szeredi.hu>
> > Cc: Seth Forshee <seth.forshee@canonical.com>
> > Cc: Eric W. Biederman <ebiederm@xmission.com>
> > Cc: Dongsu Park <dongsu@kinvolk.io>
> > Cc: Alban Crequy <alban@kinvolk.io>
> > Cc: "Serge E. Hallyn" <serge@hallyn.com>
> > ---
> >  fs/fuse/inode.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
> > index 624f18bbfd2b..ef309958e060 100644
> > --- a/fs/fuse/inode.c
> > +++ b/fs/fuse/inode.c
> > @@ -1080,6 +1080,9 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent)
> >  	sb->s_maxbytes = MAX_LFS_FILESIZE;
> >  	sb->s_time_gran = 1;
> >  	sb->s_export_op = &fuse_export_operations;
> > +	sb->s_iflags |= SB_I_IMA_UNVERIFIABLE_SIGNATURE;
> > +	if (sb->s_user_ns != &init_user_ns)
> > +		sb->s_iflags |= SB_I_UNTRUSTED_MOUNTER;
> >  
> >  	file = fget(d.fd);
> >  	err = -EINVAL;
>
diff mbox

Patch

diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index 624f18bbfd2b..ef309958e060 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -1080,6 +1080,9 @@  static int fuse_fill_super(struct super_block *sb, void *data, int silent)
 	sb->s_maxbytes = MAX_LFS_FILESIZE;
 	sb->s_time_gran = 1;
 	sb->s_export_op = &fuse_export_operations;
+	sb->s_iflags |= SB_I_IMA_UNVERIFIABLE_SIGNATURE;
+	if (sb->s_user_ns != &init_user_ns)
+		sb->s_iflags |= SB_I_UNTRUSTED_MOUNTER;
 
 	file = fget(d.fd);
 	err = -EINVAL;