On Mon, 2018-03-12 at 14:28 -0500, Serge E. Hallyn wrote:

Quoting Mimi Zohar (zohar@linux.vnet.ibm.com):

quoted

This patch addresses the fuse privileged mounted filesystems in
environments which are unwilling to accept the risk of trusting the
signature verification and want to always fail safe, but are for example
using a pre-built kernel.

This patch defines a new builtin policy named "fail_securely", which can
be specified on the boot command line as an argument to "ima_policy=".

Signed-off-by: Mimi Zohar <redacted>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Seth Forshee <redacted>
Cc: Eric W. Biederman <redacted>
Cc: Dongsu Park <redacted>
Cc: Alban Crequy <redacted>
Cc: Serge E. Hallyn <serge@hallyn.com>

Acked-by: Serge Hallyn <serge@hallyn.com>

Thanks!

but,

quoted

---
Changelog v3:
- Rename the builtin policy name

Changelog v2:
- address the fail safe environement

 Documentation/admin-guide/kernel-parameters.txt |  8 +++++++-
 security/integrity/ima/ima_appraise.c           | 11 ++++++-----
 security/integrity/ima/ima_main.c               |  3 ++-
 security/integrity/ima/ima_policy.c             |  5 +++++
 security/integrity/integrity.h                  |  1 +
 5 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 1d1d53f85ddd..2cc17dc7ab84 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt

@@ -1525,7 +1525,8 @@
 
 	ima_policy=	[IMA]
 			The builtin policies to load during IMA setup.
-			Format: "tcb | appraise_tcb | secure_boot"
+			Format: "tcb | appraise_tcb | secure_boot |
+				 fail_securely"
 
 			The "tcb" policy measures all programs exec'd, files
 			mmap'd for exec, and all files opened with the read

@@ -1540,6 +1541,11 @@
 			of files (eg. kexec kernel image, kernel modules,
 			firmware, policy, etc) based on file signatures.
 
+			The "fail_securely" policy forces file signature
+			verification failure also on privileged mounted
+			filesystems with the SB_I_UNVERIFIABLE_SIGNATURE
+			flag.
+
 	ima_tcb		[IMA] Deprecated.  Use ima_policy= instead.
 			Load a policy which meets the needs of the Trusted
 			Computing Base.  This means IMA will measure all

diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 4bafb397ee91..3034935e1eb3 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c

@@ -304,12 +304,13 @@ int ima_appraise_measurement(enum ima_hooks func,
 out:
 	/*
 	 * File signatures on some filesystems can not be properly verified.
-	 * On these filesytems, that are mounted by an untrusted mounter,
-	 * fail the file signature verification.
+	 * On these filesytems, that are mounted by an untrusted mounter or

How about "When such filesystems are mounted by an untrusted mounter or
on a system not willing to accept such a risk, ..." ?

(also filesytems is misspelled :)

It definitely sounds better.

quoted

+	 * for systems not willing to accept the risk, fail the file signature
+	 * verification.
 	 */