Re: [PATCH 0/2] turn on force option for FUSE in builtin policies

2018-01-16 Thread Dongsu Park
Hi Mimi, On Tue, Jan 16, 2018 at 12:23 PM, Mimi Zohar wrote: > On Tue, 2018-01-16 at 12:09 +0100, Dongsu Park wrote: >> Since yesterday Alban and I have been working on a different approach >> that does not depend on IMA rules, nor fsmagic. Please see: >> https://www.mail-archive.com/linux-kernel

Re: [PATCH 0/2] turn on force option for FUSE in builtin policies

2018-01-16 Thread Mimi Zohar
On Tue, 2018-01-16 at 12:09 +0100, Dongsu Park wrote: > Hi, > > On Thu, Jan 11, 2018 at 8:51 PM, Dongsu Park wrote: > > In case of FUSE filesystem, cached integrity results in IMA could be > > reused, when the userspace FUSE process has changed the > > underlying files. To be able to avoid such c

Re: [PATCH 0/2] turn on force option for FUSE in builtin policies

2018-01-16 Thread Dongsu Park
Hi, On Thu, Jan 11, 2018 at 8:51 PM, Dongsu Park wrote: > In case of FUSE filesystem, cached integrity results in IMA could be > reused, when the userspace FUSE process has changed the > underlying files. To be able to avoid such cases, we need to turn on > the force option in builtin policies, f

Re: [PATCH 0/2] turn on force option for FUSE in builtin policies

2018-01-15 Thread Mimi Zohar
On Mon, 2018-01-15 at 09:18 -0800, Christoph Hellwig wrote: > On Mon, Jan 15, 2018 at 11:32:41AM -0500, Mimi Zohar wrote: > > For XFS, which considers fsmagic numbers private to the filesystem, > > *always* using the fsmagic number is wrong.  As to whether this is > > true for other filesystems is

Re: [PATCH 0/2] turn on force option for FUSE in builtin policies

2018-01-15 Thread Christoph Hellwig
On Mon, Jan 15, 2018 at 11:32:41AM -0500, Mimi Zohar wrote: > For XFS, which considers fsmagic numbers private to the filesystem, > *always* using the fsmagic number is wrong.  As to whether this is > true for other filesystems is unclear.  IMA policies have been defined > in terms of fsmagic numbe

Re: [PATCH 0/2] turn on force option for FUSE in builtin policies

2018-01-15 Thread Mimi Zohar
On Mon, 2018-01-15 at 06:48 -0800, Christoph Hellwig wrote: > On Thu, Jan 11, 2018 at 08:51:48PM +0100, Dongsu Park wrote: > > In case of FUSE filesystem, cached integrity results in IMA could be > > reused, when the userspace FUSE process has changed the > > underlying files. To be able to avoid s

Re: [PATCH 0/2] turn on force option for FUSE in builtin policies

2018-01-15 Thread Christoph Hellwig
On Thu, Jan 11, 2018 at 08:51:48PM +0100, Dongsu Park wrote: > In case of FUSE filesystem, cached integrity results in IMA could be > reused, when the userspace FUSE process has changed the > underlying files. To be able to avoid such cases, we need to turn on > the force option in builtin policies

[PATCH 0/2] turn on force option for FUSE in builtin policies

2018-01-11 Thread Dongsu Park
In case of FUSE filesystem, cached integrity results in IMA could be reused, when the userspace FUSE process has changed the underlying files. To be able to avoid such cases, we need to turn on the force option in builtin policies, for actions of measure and appraise. Then integrity values become r