On Tue, 2019-06-25 at 21:35 +0000, Kavitha Sivagnanam wrote: > > On 4/25/19, 4:59 AM, "Mimi Zohar" <zohar@xxxxxxxxxxxxx> wrote: > > > As Matthew indicated, you could define LSM labels on the squashfs file > > images. Another option would be to extend IMA by implementing the LSM > > security_sb_mount hook. The IMA policy rule would probably look > > something like: > > We looked in to the security_sb_mount function. It receives the > device name as string "const char *dev_name". We need to do the IMA > appraisal on the backing file (squashfs file) associated with this > device. However, based on this device name we were unable to get > the backing_file associated with it in kernel space. > Can you give some pointers? > > Also, we need to know if at the time when this function is called, > if the backing file is associated with this device. > > > appraise func=MOUNT_CHECK fsname=squashfs appraise_type=imasig When the squashfs file is loopback mounted, the backing file is set in drivers/block/loop.c: loop_set_fd() and stored as lo->lo_backing_file. Although security_sb_mount() is called after setting the backing file, it seems to be too early. You probably need to wait until after fill_super(). Try using security_sb_kern_mount(). Mimi
