Hi Miklos, On Tue, 2018-03-13 at 14:32 -0500, Eric W. Biederman wrote: > Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> writes: > > > Files on FUSE can change at any point in time without IMA being able > > to detect it. The file data read for the file signature verification > > could be totally different from what is subsequently read, making the > > signature verification useless. > > > > FUSE can be mounted by unprivileged users either today with fusermount > > installed with setuid, or soon with the upcoming patches to allow FUSE > > mounts in a non-init user namespace. > > > > This patch sets the SB_I_IMA_UNVERIFIABLE_SIGNATURE flag and when > > appropriate sets the SB_I_UNTRUSTED_MOUNTER flag. > > Acked-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> There's been a number of changes since the original version of this patch set. I would appreciate your Ack for this version? Thanks, Mimi > > > > Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> > > Cc: Miklos Szeredi <miklos@xxxxxxxxxx> > > Cc: Seth Forshee <seth.forshee@xxxxxxxxxxxxx> > > Cc: Eric W. Biederman <ebiederm@xxxxxxxxxxxx> > > Cc: Dongsu Park <dongsu@xxxxxxxxxx> > > Cc: Alban Crequy <alban@xxxxxxxxxx> > > Cc: "Serge E. Hallyn" <serge@xxxxxxxxxx> > > --- > > fs/fuse/inode.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c > > index 624f18bbfd2b..ef309958e060 100644 > > --- a/fs/fuse/inode.c > > +++ b/fs/fuse/inode.c > > @@ -1080,6 +1080,9 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent) > > sb->s_maxbytes = MAX_LFS_FILESIZE; > > sb->s_time_gran = 1; > > sb->s_export_op = &fuse_export_operations; > > + sb->s_iflags |= SB_I_IMA_UNVERIFIABLE_SIGNATURE; > > + if (sb->s_user_ns != &init_user_ns) > > + sb->s_iflags |= SB_I_UNTRUSTED_MOUNTER; > > > > file = fget(d.fd); > > err = -EINVAL; >
