Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: ignore many more filesystems in IMA #6575

Merged
merged 1 commit into from
Dec 1, 2022
Merged

fix: ignore many more filesystems in IMA #6575

merged 1 commit into from
Dec 1, 2022

Conversation

smira
Copy link
Member

@smira smira commented Dec 1, 2022

Fixes #6553

Talos itself defaults to XFS, so IMA measurements weren't done for Talos own filesystems. But many other solutions create by default ext4 filesystems, or it might be something mounted by other means.

Signed-off-by: Andrey Smirnov andrey.smirnov@talos-systems.com

@smira smira added this to the v1.4 milestone Dec 1, 2022
frezbo
frezbo reviewed Dec 1, 2022
View reviewed changes
internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go Outdated
"dont_measure fsmagic=0xde5e81e4", // EFIVARFS_MAGIC
"dont_measure fsmagic=0x58465342", // XFS_MAGIC
"dont_measure fsmagic=0x794c7630", // OVERLAYFS_SUPER_MAGIC
"dont_measure fsmagic=0x858458f6", // BTRFS_SUPER_MAGIC
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any links to where these magic numbers are from, the kernel docs doesn't seem to have ext4 ones, at least the one in the comment

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://man7.org/linux/man-pages/man2/statfs.2.html

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ha... this one is wrong, I will fix it up, thanks for noticing that https://github.com/torvalds/linux/blob/master/include/uapi/linux/magic.h

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, now I'm more confused... I'll dig into that

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/torvalds/linux/blob/v5.15/include/uapi/linux/magic.h we'd probably need this, since our kernel is 5.15

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess magics shouldn't change, they're derived from the filesystem superblock. should be better now

@frezbo
Copy link
Member

frezbo commented Dec 1, 2022

🆒

@evandeaubl
Copy link

evandeaubl commented Dec 1, 2022
edited
Loading

#6553 filer here. 😄 I notice in the list of excluded filesystems, FUSE isn't included. Is there a reason that can't be included as well, because a number of CSIs use FUSE under the covers, and I was reproducing the issue with one of those (https://github.com/yandex-cloud/k8s-csi-s3).

@frezbo
Copy link
Member

frezbo commented Dec 1, 2022

#6553 filer here. smile I notice in the list of excluded filesystems, FUSE isn't included. Is there a reason that can't be included as well, because a number of CSIs use FUSE under the covers, and I was reproducing the issue with one of those (https://github.com/yandexcloud/k8s-csi-s3).

good point, just missed, don't see any harm in including FUSE too

@smira
Copy link
Member Author

smira commented Dec 1, 2022

#6553 filer here. smile I notice in the list of excluded filesystems, FUSE isn't included. Is there a reason that can't be included as well, because a number of CSIs use FUSE under the covers, and I was reproducing the issue with one of those (https://github.com/yandex-cloud/k8s-csi-s3).

thanks, just added that as well

@smira
fix: ignore many more filesystems in IMA
d3cf061 
Fixes siderolabs#6553

Talos itself defaults to XFS, so IMA measurements weren't done for Talos
own filesystems. But many other solutions create by default ext4
filesystems, or it might be something mounted by other means.

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
@smira
Copy link
Member Author

smira commented Dec 1, 2022

/m

@talos-bot talos-bot merged commit d3cf061 into siderolabs:main Dec 1, 2022
@smira smira mentioned this pull request Dec 7, 2022
Merged
@smira smira mentioned this pull request Dec 20, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frezbo frezbo frezbo approved these changes

@andrewrynhard andrewrynhard andrewrynhard approved these changes

@TimJones TimJones TimJones approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.4
Development

Successfully merging this pull request may close these issues.

Bad latency reading large files from mounted volumes
6 participants
@smira @frezbo @evandeaubl @TimJones @andrewrynhard @talos-bot