On Fri, 2018-10-12 at 11:31 -0700, Matthew Garrett wrote: > On Thu, Oct 11, 2018 at 4:03 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > On Thu, 2018-10-11 at 13:30 -0700, Matthew Garrett wrote: > > > > Ok, should this just be part of the IMA policy? > > > > How would you be able to differentiate between different FUSE > > filesystems for example? > > There's a couple of ways. We could extend the filesystem type matching > logic to also check the subtype - you'd then need to enforce that at > the LSM level in order to protect against untrusted filesystems > spoofing the filesystem type. Alternatively, we could add an > additional policy match type for mount point and iterate through > s_mounts on the superblock - if any match, we could define the policy > there? The first method differentiates between different subtypes of FUSE filesystems, while the second method allows differentiating between the same type and subtype on different mount points. Both criteria are needed, but instead of the second method based on a mount point, perhaps based instead on a mount flag? Trusted mount of permitted filesystem type and subtype, that is mounted with the defined mount flag. Mimi
