On Sun, Oct 14, 2018 at 6:38 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > On Fri, 2018-10-12 at 11:31 -0700, Matthew Garrett wrote: > > There's a couple of ways. We could extend the filesystem type matching > > logic to also check the subtype - you'd then need to enforce that at > > the LSM level in order to protect against untrusted filesystems > > spoofing the filesystem type. Alternatively, we could add an > > additional policy match type for mount point and iterate through > > s_mounts on the superblock - if any match, we could define the policy > > there? > > The first method differentiates between different subtypes of FUSE > filesystems, while the second method allows differentiating between > the same type and subtype on different mount points. Both criteria > are needed, but instead of the second method based on a mount point, > perhaps based instead on a mount flag? Patch 3 already requires that the allow_gethash option be passed for this to work - I can restrict that to CAP_SYS_ADMIN? > Trusted mount of permitted filesystem type and subtype, that is > mounted with the defined mount flag. Ok, I'll write up a patch that allows policy matching of filesystem subtype as well as type and try to get that posted this week so we can discuss it in Edinburgh?
