Re: [PATCH v3 4/4] fuse: define the filesystem as untrusted

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> writes:

> Files on FUSE can change at any point in time without IMA being able
> to detect it.  The file data read for the file signature verification
> could be totally different from what is subsequently read, making the
> signature verification useless.
>
> FUSE can be mounted by unprivileged users either today with fusermount
> installed with setuid, or soon with the upcoming patches to allow FUSE
> mounts in a non-init user namespace.
>
> This patch sets the SB_I_IMA_UNVERIFIABLE_SIGNATURE flag and when
> appropriate sets the SB_I_UNTRUSTED_MOUNTER flag.

Acked-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
>
> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
> Cc: Miklos Szeredi <miklos@xxxxxxxxxx>
> Cc: Seth Forshee <seth.forshee@xxxxxxxxxxxxx>
> Cc: Eric W. Biederman <ebiederm@xxxxxxxxxxxx>
> Cc: Dongsu Park <dongsu@xxxxxxxxxx>
> Cc: Alban Crequy <alban@xxxxxxxxxx>
> Cc: "Serge E. Hallyn" <serge@xxxxxxxxxx>
> ---
>  fs/fuse/inode.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
> index 624f18bbfd2b..ef309958e060 100644
> --- a/fs/fuse/inode.c
> +++ b/fs/fuse/inode.c
> @@ -1080,6 +1080,9 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent)
>  	sb->s_maxbytes = MAX_LFS_FILESIZE;
>  	sb->s_time_gran = 1;
>  	sb->s_export_op = &fuse_export_operations;
> +	sb->s_iflags |= SB_I_IMA_UNVERIFIABLE_SIGNATURE;
> +	if (sb->s_user_ns != &init_user_ns)
> +		sb->s_iflags |= SB_I_UNTRUSTED_MOUNTER;
>  
>  	file = fget(d.fd);
>  	err = -EINVAL;



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux