Re: [PATCH 0/2] turn on force option for FUSE in builtin policies
From: Dongsu Park
Date: Tue Jan 16 2018 - 06:09:37 EST
Hi,
On Thu, Jan 11, 2018 at 8:51 PM, Dongsu Park <dongsu@xxxxxxxxxx> wrote:
> In case of FUSE filesystem, cached integrity results in IMA could be
> reused, when the userspace FUSE process has changed the
> underlying files. To be able to avoid such cases, we need to turn on
> the force option in builtin policies, for actions of measure and
> appraise. Then integrity values become re-measured and re-appraised.
> In that way, cached integrity results won't be used.
Since yesterday Alban and I have been working on a different approach
that does not depend on IMA rules, nor fsmagic. Please see:
https://www.mail-archive.com/linux-kernel@xxxxxxxxxxxxxxx/msg1587390.html
If that's ok, I'm ready to discard this patchset.
Thanks,
Dongsu
> This patchset depends on the patch "ima: define a new policy option
> named force" by Mimi. [1] For details on testing the force option,
> please refer to the testing report by Alban. [2]
>
> The first patch is for simply moving FUSE_*SUPER_MAGIC macros to
> include/uapi/linux, to be able to use those in other subsystems like
> security/integrity/ima.
>
> The second patch is actually to turn on the force option for FUSE fs
> in IMA.
>
> [1] https://www.spinics.net/lists/linux-integrity/msg00948.html
> [2] https://marc.info/?l=linux-integrity&m=151559360514676&w=2
>
>
> Dongsu Park (2):
> fs/fuse: move SUPER_MAGIC definitions to linux/magic.h
> ima: turn on force option for FUSE in builtin policies
>
> fs/fuse/control.c | 3 +--
> fs/fuse/inode.c | 3 +--
> include/uapi/linux/magic.h | 3 +++
> security/integrity/ima/ima_policy.c | 2 ++
> 4 files changed, 7 insertions(+), 4 deletions(-)
>
> --
> 2.13.6
>