[PATCH 0/2] turn on force option for FUSE in builtin policies
From: Dongsu Park
Date: Thu Jan 11 2018 - 14:50:47 EST
In case of FUSE filesystem, cached integrity results in IMA could be
reused, when the userspace FUSE process has changed the
underlying files. To be able to avoid such cases, we need to turn on
the force option in builtin policies, for actions of measure and
appraise. Then integrity values become re-measured and re-appraised.
In that way, cached integrity results won't be used.
This patchset depends on the patch "ima: define a new policy option
named force" by Mimi. [1] For details on testing the force option,
please refer to the testing report by Alban. [2]
The first patch is for simply moving FUSE_*SUPER_MAGIC macros to
include/uapi/linux, to be able to use those in other subsystems like
security/integrity/ima.
The second patch is actually to turn on the force option for FUSE fs
in IMA.
[1] https://www.spinics.net/lists/linux-integrity/msg00948.html
[2] https://marc.info/?l=linux-integrity&m=151559360514676&w=2
Dongsu Park (2):
fs/fuse: move SUPER_MAGIC definitions to linux/magic.h
ima: turn on force option for FUSE in builtin policies
fs/fuse/control.c | 3 +--
fs/fuse/inode.c | 3 +--
include/uapi/linux/magic.h | 3 +++
security/integrity/ima/ima_policy.c | 2 ++
4 files changed, 7 insertions(+), 4 deletions(-)
--
2.13.6