On Mon, 19 Feb 2018, Eric W. Biederman wrote: > Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> writes: > > > Files on untrusted filesystems, such as fuse, can change at any time, > > making the measurement(s) and by extension signature verification > > meaningless. > > Filesystems with servers? > Remote filesystems? > Perhaps unexpected changes. > > Untrusted sounds a bit harsh, and I am not certain it quite captures > what you are looking to avoid. Right -- I think whether you trust a filesystem or not depends on how much assurance you have in your specific configuration, rather than whether you think the filesystem can be manipulated or not. There is a difference between: - This fs has no way to communicate a change to IMA, and; - This fs could be malicious. In the latter case, I suggest that any fs could be malicious if the overall security policy / settings are inadequate for the threat model, or if there are vulnerabilities which allow such security to be bypassed. Whether a user trusts FUSE on their particular system should be a policy decision on the part of the user. The kernel should not be deciding what is trusted or not trusted here. -- James Morris <jmorris@xxxxxxxxx>
