Re: [PATCH 2/3] IMA: Make use of filesystem-provided hashes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Oct 11, 2018 at 4:03 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> On Thu, 2018-10-11 at 13:30 -0700, Matthew Garrett wrote:

> > Ok, should this just be part of the IMA policy?
>
> How would you be able to differentiate between different FUSE
> filesystems for example?

There's a couple of ways. We could extend the filesystem type matching
logic to also check the subtype - you'd then need to enforce that at
the LSM level in order to protect against untrusted filesystems
spoofing the filesystem type. Alternatively, we could add an
additional policy match type for mount point and iterate through
s_mounts on the superblock - if any match, we could define the policy
there?



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux