Quoting Stefan Berger (stefanb@xxxxxxxxxxxxxxxxxx): > On 03/12/2018 03:29 PM, Serge E. Hallyn wrote: > >Quoting Mimi Zohar (zohar@xxxxxxxxxxxxxxxxxx): > >>Files on FUSE can change at any point in time without IMA being able > >>to detect it. The file data read for the file signature verification > >>could be totally different from what is subsequently read, making the > >>signature verification useless. > >> > >>FUSE can be mounted by unprivileged users either today with fusermount > >>installed with setuid, or soon with the upcoming patches to allow FUSE > >>mounts in a non-init user namespace. > >> > >>This patch sets the SB_I_IMA_UNVERIFIABLE_SIGNATURE flag and when > >>appropriate sets the SB_I_UNTRUSTED_MOUNTER flag. > >> > >>Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> > >>Cc: Miklos Szeredi <miklos@xxxxxxxxxx> > >>Cc: Seth Forshee <seth.forshee@xxxxxxxxxxxxx> > >>Cc: Eric W. Biederman <ebiederm@xxxxxxxxxxxx> > >>Cc: Dongsu Park <dongsu@xxxxxxxxxx> > >>Cc: Alban Crequy <alban@xxxxxxxxxx> > >>Cc: "Serge E. Hallyn" <serge@xxxxxxxxxx> > >Acked-by: Serge Hallyn <serge@xxxxxxxxxx> > > > >Of course when IMA namespacing hits, you'll want to compare the > >sb->s_user_ns to the (~handwaving~) user_ns owning the ima ns > >right? > > I suppose this would be the only way to enable 'trusted mounters' > within IMA namespaces. Maybe there could be an additional capability > gate that would allow one to be a 'trusted mounter' then? Wouldn't CAP_SYS_ADMIN to the ima_ns->user_ns suffice? I personally think CAP_INTEGRITY would make sense, but right now CAP_SYS_ADMIN seems to suffice so it wouldn't make sense to raise the bar there unless we raise it for all of IMA configuration. -serge
