For local filesystems, the kernel prevents files being executed from being modified. With IMA-measurement enabled, the kernel also emits audit "time of measure, time of use" messages for files opened for read, and subsequently opened for write. Files on fuse are initially measured, appraised, and audited. Although the file data can change dynamically any time, making re-measuring, re-appraising, or re-auditing pointless, this patch set attempts to differentiate between unprivileged non-init root and privileged mounted fuse filesystems. This patch set addresses three different scenarios: - Unprivileged non-init root mounted fuse filesystems are untrusted. Signature verification should always fail and re-measuring, re-appraising, re-auditing files makes no sense. Always enabled. - For privileged mounted filesystems in a "secure" environment, with a correctly enforced security policy, which is willing to assume the inherent risk of specific fuse filesystems, it is reasonable to re-measure, re-appraise, and re-audit files. Enabled by default to prevent breaking existing systems. - Privileged mounted filesystems unwilling to assume the risks and prefers to fail safe. Enabled based on policy. Mimi Mimi Zohar (4): ima: fail file signature verification on non-init mounted filesystems ima: re-evaluate files on privileged mounted filesystems ima: fail signature verification based on policy fuse: define the filesystem as untrusted Documentation/admin-guide/kernel-parameters.txt | 8 +++++++- fs/fuse/inode.c | 3 +++ include/linux/fs.h | 2 ++ security/integrity/ima/ima_appraise.c | 16 +++++++++++++++- security/integrity/ima/ima_main.c | 14 ++++++++++++-- security/integrity/ima/ima_policy.c | 5 +++++ security/integrity/integrity.h | 1 + 7 files changed, 45 insertions(+), 4 deletions(-) -- 2.7.5
