When an IMA measurement is triggered, IMA is forced to read the entire file and hash it. This can take a significant amount of time for large files. If the filesystem has a secure mechanism for storing the file's hash then it makes sense to allow the filesystem to simply return that rather than forcing the entire file to be read. This patchset adds an additional VFS call for providing the hash, and teaches IMA how to use it. An additional parameter is added to the IMA policy in order to indicate that a specific filesystem is trusted to provide the hashes. Mounts that would otherwise match the policy but which were mounted by a non-privileged user will still fall back to reading the entire file to obtain the hash. Finally, a kernel parameter is added to force hashes to be generated even if the policy says otherwise. This has been developed for FUSE, so the patchset includes some additional supporting code. It adds an additional subtype parameter to IMA policy to permit policy matching against specific FUSE filesystem types. The expectation is that an LSM is used to restrict which filesystems are able to mount with this subtype, preventing cases where an untrusted FUSE filesystem is able to pretend to be a trusted one. The use of FUSE (or any network filesystem) with IMA is already only viable with specific security controls - an untrusted filesystem can provide one set of data to the kernel when generating the initial hashes, but a different set of data when the executable is actually run. As a result, it's reasonable to assert that any setup relying on IMA should already be imposing restrictions that ensure that FUSE filesystems are only mounted by trustworthy executables. If this is the case, there is no additional security concern raised by these patches.
