From patchwork Thu Feb 15 16:47:06 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Eric W. Biederman" X-Patchwork-Id: 10222501 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C1C42602CB for ; Thu, 15 Feb 2018 16:47:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B1D351FF1E for ; Thu, 15 Feb 2018 16:47:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A672020182; Thu, 15 Feb 2018 16:47:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1B4BC1FF1E for ; Thu, 15 Feb 2018 16:47:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1426451AbeBOQrd convert rfc822-to-8bit (ORCPT ); Thu, 15 Feb 2018 11:47:33 -0500 Received: from out03.mta.xmission.com ([166.70.13.233]:50252 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1423802AbeBOQra (ORCPT ); Thu, 15 Feb 2018 11:47:30 -0500 Received: from in01.mta.xmission.com ([166.70.13.51]) by out03.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1emMgx-0007PO-Si; Thu, 15 Feb 2018 09:47:27 -0700 Received: from 174-19-85-160.omah.qwest.net ([174.19.85.160] helo=x220.xmission.com) by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1emMgx-0004aJ-5J; Thu, 15 Feb 2018 09:47:27 -0700 From: ebiederm@xmission.com (Eric W. Biederman) To: Mimi Zohar Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, Miklos Szeredi , Seth Forshee , Dongsu Park , Alban Crequy , "Serge E. Hallyn" References: <1518615315-7162-1-git-send-email-zohar@linux.vnet.ibm.com> <1518615315-7162-2-git-send-email-zohar@linux.vnet.ibm.com> <87po57yvix.fsf@xmission.com> <1518698285.5667.87.camel@linux.vnet.ibm.com> Date: Thu, 15 Feb 2018 10:47:06 -0600 In-Reply-To: <1518698285.5667.87.camel@linux.vnet.ibm.com> (Mimi Zohar's message of "Thu, 15 Feb 2018 07:38:05 -0500") Message-ID: <87a7wayzcl.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 X-XM-SPF: eid=1emMgx-0004aJ-5J; ; ; mid=<87a7wayzcl.fsf@xmission.com>; ; ; hst=in01.mta.xmission.com; ; ; ip=174.19.85.160; ; ; frm=ebiederm@xmission.com; ; ; spf=neutral X-XM-AID: U2FsdGVkX19HzGwAerC9YtIqntaD9CQ3K30/k15/XR0= X-SA-Exim-Connect-IP: 174.19.85.160 X-SA-Exim-Mail-From: ebiederm@xmission.com Subject: Re: [RFC PATCH 2/4] ima: fail signature verification on unprivileged & untrusted filesystems X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Mimi Zohar writes: > On Wed, 2018-02-14 at 17:57 -0600, Eric W. Biederman wrote: >> Mimi Zohar writes: >> >> > Files on untrusted filesystems, such as fuse, can change at any time, >> > making the measurement(s) and by extension signature verification >> > meaningless. >> > >> > FUSE can be mounted by unprivileged users either today with fusermount >> > installed with setuid, or soon with the upcoming patches to allow FUSE >> > mounts in a non-init user namespace. >> > >> > This patch always fails the file signature verification on unprivileged >> > and untrusted filesystems. To also fail file signature verification on >> > privileged, untrusted filesystems requires a custom policy. >> > >> > (This patch is based on Alban Crequy's use of fs_flags and patch >> > description.) >> >> This would be much better done based on a flag in s_iflags and then the >> mounts that need this can set this. That new flag can perhaps be called >> SB_I_IMA_FAIL. >> >> Among other things that should allow the policy of when to set this to >> be set in fuse where it is obvious rather than in an magic location in >> IMA. > > Using s_iflags instead of fs_flags is fine, but I'm not sure how this > affects the IMA policy.  This patch set assumes only unprivileged, > untrusted filesytems can automatically fail file signature > verification (2nd patch), as that hasn't yet been upstreamed and won't > break userspace. > > Based on policy, IMA should additionally be able to fail the signature > verification for files on privileged, untrusted filesystems. Apologies ima has a very specific meaning of policy, as in the loaded ima policy. I was meaning the hard coded policy of which filesystems we simply would not trust by default. In code terms what I was thinking would look something like: And somewhere in the fuse mount code it would say: if (sb->s_user_ns != &init_user_ns) sb->s_iflags |= SB_I_NOIMA); The point being that the logic for setting the flag can live in fuse or a simpler filesystem and all ima proper needs to do is deal with the flag being set. That should be easier to maintainer and simpler to code all around. Eric diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -292,7 +292,14 @@ int ima_appraise_measurement(enum ima_hooks func, } out: - if (status != INTEGRITY_PASS) { + /* Fail if we can't trust the fs enough to support ima xattrs (FUSE) */ + if (inode->i_sb->s_iflags & SB_I_NOIMA) { + status = INTEGRITY_FAIL; + cause = "untrusted-filesystem"; + integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, + op, cause, rc, 0); + } else if (status != INTEGRITY_PASS) { if ((ima_appraise & IMA_APPRAISE_FIX) && (!xattr_value || xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {