Allow trusted filesystems to provide IMA hashes directly

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



When an IMA measurement is triggered, IMA is forced to read the entire
file and hash it. This can take a significant amount of time for large
files. If the filesystem has a secure mechanism for storing the file's
hash then it makes sense to allow the filesystem to simply return that
rather than forcing the entire file to be read.

This patchset adds an additional VFS call for providing the hash, and
teaches IMA how to use it. An additional parameter is added to the IMA
policy in order to indicate that a specific filesystem is trusted to
provide the hashes. Mounts that would otherwise match the policy but
which were mounted by a non-privileged user will still fall back to
reading the entire file to obtain the hash. Finally, a kernel parameter
is added to force hashes to be generated even if the policy says
otherwise.

This has been developed for FUSE, so the patchset includes some
additional supporting code. It adds an additional subtype parameter to
IMA policy to permit policy matching against specific FUSE filesystem
types. The expectation is that an LSM is used to restrict which
filesystems are able to mount with this subtype, preventing cases where
an untrusted FUSE filesystem is able to pretend to be a trusted one.

The use of FUSE (or any network filesystem) with IMA is already only
viable with specific security controls - an untrusted filesystem can
provide one set of data to the kernel when generating the initial
hashes, but a different set of data when the executable is actually run.
As a result, it's reasonable to assert that any setup relying on IMA
should already be imposing restrictions that ensure that FUSE
filesystems are only mounted by trustworthy executables. If this is the
case, there is no additional security concern raised by these patches.





[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux