Re: [PATCH V2 3/4] IMA: Optionally make use of filesystem-provided hashes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2019-03-04 at 14:10 -0800, Matthew Garrett wrote:
> On Mon, Mar 4, 2019 at 12:32 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> > On Mon, 2019-03-04 at 11:52 -0800, Matthew Garrett wrote:
> > > To be clear, I'm entirely happy to make this change - I'd just like to
> > > ensure that I do it the right way!
> >
> > Falling back to reading the file is fine.  So we're assuming that the
> > person signing a policy containing "get_hash" understands the
> > ramifications.  And yes, only signed policies containing "get_hash"
> > should be loaded.
> 
> I'm not clear on why requiring signed policies is helpful here. If you
> allow FUSE mounts at all then you need to trust the FUSE filesystem to
> return good results, in which case you can trust it to return valid
> hashes. If you don't trust the FUSE filesystem then generating the
> hash via read doesn't win you anything - the filesystem can return one
> set of data on the initial IMA hashing, and then return a second set
> later. Requiring signed policy doesn't change that.

You're defining a new generic file ops "get_hash", but are using FUSE,
a specific filesystem, as an example.  Requiring the IMA policy to be
signed when using "get_hash", is proof of the sysadmin's agreement to
bypass actually reading and calculating the file hash.

Mimi




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux