Re: [GIT PULL] Integrity: IMA FUSE fixes

From: James Morris
Date: Sun Feb 11 2018 - 08:23:24 EST

Next message: Marc Haber: "Re: VMs freezing when host is running 4.14"
Previous message: Konstantin Khlebnikov: "Re: [PATCH] mm/huge_memory.c: split should clone page flags before unfreezing pageref"
Next in thread: Mimi Zohar: "Re: [GIT PULL] Integrity: IMA FUSE fixes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 10 Feb 2018, Mimi Zohar wrote:

> > Which seems *worse* than what we do now, in that it wastes time and
> > effort on re-creating those pointless measurements because it disables
> > the caching of them.
> >
> > So honestly, the only sane thing seems to be to disable IMA on fuse,
> > not to force it to do even _more_ pointless work.
> >
> > What am I missing?
>
> No, you're right. The file could change at any time, making the
> measurement(s) and by extension signature verification meaningless.

Really? I thought the whole idea of IMA was that it only detects offline
tampering and it specifically does not protect against runtime attacks.

Any file could change after measurement on a compromised or misconfigured
system. e.g. via direct write to the block device.

> Custom policy rules could be defined to disable measurement,
> appraisal, and audit for files on fuse. However, I don't think we
> want to automatically disable measurement, even meaningless
> measurements. Some indication needs to be included for remote
> attestation, security analytics, or forensics. For systems with
> policies that require file signatures even on fuse, the safest thing
> would seem to be to fail the signature verification.

I don't understand this -- if a file passes signature verification, it
passes. If it was modified and still passes, the problem is elsewhere.

I don't think the FUSE measurements are inherently useless, or more
useless than any others, at least. You can misconfigure all kinds of
things on a system which would undermine IMA, and I would count allowing
unprivileged use of FUSE with critical files as such.

The point of the patches, IIUC, was that FUSE had no useful way to notify
IMA that a file had changed, so, always measure. IMA assumes that changes
to a running system are made under the control of a correctly enforced
security policy. If you're using FUSE and IMA, then you should understand
the security implications of that. Or am I missing something?

- James
--
James Morris
<jmorris@xxxxxxxxx>

Next message: Marc Haber: "Re: VMs freezing when host is running 4.14"
Previous message: Konstantin Khlebnikov: "Re: [PATCH] mm/huge_memory.c: split should clone page flags before unfreezing pageref"
Next in thread: Mimi Zohar: "Re: [GIT PULL] Integrity: IMA FUSE fixes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]