On Mon, Mar 4, 2019 at 12:32 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > On Mon, 2019-03-04 at 11:52 -0800, Matthew Garrett wrote: > > To be clear, I'm entirely happy to make this change - I'd just like to > > ensure that I do it the right way! > > Falling back to reading the file is fine. So we're assuming that the > person signing a policy containing "get_hash" understands the > ramifications. And yes, only signed policies containing "get_hash" > should be loaded. I'm not clear on why requiring signed policies is helpful here. If you allow FUSE mounts at all then you need to trust the FUSE filesystem to return good results, in which case you can trust it to return valid hashes. If you don't trust the FUSE filesystem then generating the hash via read doesn't win you anything - the filesystem can return one set of data on the initial IMA hashing, and then return a second set later. Requiring signed policy doesn't change that.
