On Mon, 2019-03-04 at 14:10 -0800, Matthew Garrett wrote: > On Mon, Mar 4, 2019 at 12:32 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > On Mon, 2019-03-04 at 11:52 -0800, Matthew Garrett wrote: > > > To be clear, I'm entirely happy to make this change - I'd just like to > > > ensure that I do it the right way! > > > > Falling back to reading the file is fine. So we're assuming that the > > person signing a policy containing "get_hash" understands the > > ramifications. And yes, only signed policies containing "get_hash" > > should be loaded. > > I'm not clear on why requiring signed policies is helpful here. If you > allow FUSE mounts at all then you need to trust the FUSE filesystem to > return good results, in which case you can trust it to return valid > hashes. If you don't trust the FUSE filesystem then generating the > hash via read doesn't win you anything - the filesystem can return one > set of data on the initial IMA hashing, and then return a second set > later. Requiring signed policy doesn't change that. You're defining a new generic file ops "get_hash", but are using FUSE, a specific filesystem, as an example. Requiring the IMA policy to be signed when using "get_hash", is proof of the sysadmin's agreement to bypass actually reading and calculating the file hash. Mimi
