leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
57b56ac6fe
linux/security
History
Mimi Zohar 57b56ac6fe ima: fail file signature verification on non-init mounted filesystems 
FUSE can be mounted by unprivileged users either today with fusermount
installed with setuid, or soon with the upcoming patches to allow FUSE
mounts in a non-init user namespace.

This patch addresses the new unprivileged non-init mounted filesystems,
which are untrusted, by failing the signature verification.

This patch defines two new flags SB_I_IMA_UNVERIFIABLE_SIGNATURE and
SB_I_UNTRUSTED_MOUNTER.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Seth Forshee <seth.forshee@canonical.com>
Cc: Dongsu Park <dongsu@kinvolk.io>
Cc: Alban Crequy <alban@kinvolk.io>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-03-23 06:31:37 -04:00
..
apparmor usb, signal, security: only pass the cred, not the secid, to kill_pid_info_as_cred and security_task_kill 2018-03-07 09:05:53 +11:00
integrity ima: fail file signature verification on non-init mounted filesystems 2018-03-23 06:31:37 -04:00
keys KEYS: Use individual pages in big_key for crypto buffers 2018-02-22 14:58:38 +00:00
loadpin security: mark LSM hooks as __ro_after_init 2017-03-06 11:00:15 +11:00
selinux security: Add a cred_getsecid hook 2018-03-23 06:31:11 -04:00
smack security: Add a cred_getsecid hook 2018-03-23 06:31:11 -04:00
tomoyo vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
yama pids: introduce find_get_task_by_vpid() helper 2018-02-06 18:32:46 -08:00
commoncap.c capabilities: fix buffer overread on very short xattr 2018-01-02 20:49:13 +11:00
device_cgroup.c device_cgroup: prepare code for bpf-based device controller 2017-11-05 23:26:51 +09:00
inode.c securityfs: add the ability to support symlinks 2017-06-08 12:51:43 -07:00
Kconfig Currently, hardened usercopy performs dynamic bounds checking on slab 2018-02-03 16:25:42 -08:00
lsm_audit.c lsm_audit: update my email address 2017-08-17 15:33:39 -04:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
min_addr.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
security.c security: Add a cred_getsecid hook 2018-03-23 06:31:11 -04:00