1. Patchew
  2. linux
  3. View series

[PATCH 0/2] ima: add dont_audit and fs_subtype to policy language

Jann Horn posted 2 patches 4 months, 2 weeks ago 
Documentation/ABI/testing/ima_policy |  3 +-
security/integrity/ima/ima_policy.c  | 57 ++++++++++++++++++++++++++++++++----
2 files changed, 54 insertions(+), 6 deletions(-)
[PATCH 0/2] ima: add dont_audit and fs_subtype to policy language
Posted by Jann Horn 4 months, 2 weeks ago 
This series adds a "dont_audit" action that cancels out following
"audit" actions (as we already have for other action types), and also
adds an "fs_subtype" that can be used to distinguish between FUSE
filesystems.

With these two patches applied, as a toy example, you can use the
following policy:
```
dont_audit fsname=fuse fs_subtype=sshfs
audit func=BPRM_CHECK fsname=fuse
```

I have tested that with this policy, executing a binary from a
"fuse-zip" FUSE filesystem results in an audit log entry:
```
type=INTEGRITY_RULE msg=audit([...]): file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...]
```
while executing a binary from an "sshfs" FUSE filesystem does not
generate any audit log entries.

Signed-off-by: Jann Horn <jannh@google.com>
---
Jann Horn (2):
      ima: add dont_audit action to suppress audit actions
      ima: add fs_subtype condition for distinguishing FUSE instances

 Documentation/ABI/testing/ima_policy |  3 +-
 security/integrity/ima/ima_policy.c  | 57 ++++++++++++++++++++++++++++++++----
 2 files changed, 54 insertions(+), 6 deletions(-)
---
base-commit: 00642a06d60c897a8348784e1eee9e5369219ce5
change-id: 20250925-ima-audit-8bd219dcc6f6

--  
Jann Horn <jannh@google.com>
Re: [PATCH 0/2] ima: add dont_audit and fs_subtype to policy language
Posted by Mimi Zohar 4 months, 1 week ago 
On Fri, 2025-09-26 at 01:45 +0200, Jann Horn wrote:
> This series adds a "dont_audit" action that cancels out following
> "audit" actions (as we already have for other action types), and also
> adds an "fs_subtype" that can be used to distinguish between FUSE
> filesystems.
> 
> With these two patches applied, as a toy example, you can use the
> following policy:
> ```
> dont_audit fsname=fuse fs_subtype=sshfs
> audit func=BPRM_CHECK fsname=fuse
> ```
> 
> I have tested that with this policy, executing a binary from a
> "fuse-zip" FUSE filesystem results in an audit log entry:
> ```
> type=INTEGRITY_RULE msg=audit([...]): file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...]
> ```
> while executing a binary from an "sshfs" FUSE filesystem does not
> generate any audit log entries.
> 
> Signed-off-by: Jann Horn <jannh@google.com>


Thanks, Jann.  The patches look fine.  Assuming the "toy" test program creates
and mounts the fuse filesystems, not just loads the IMA policy rules, could you
share it?

thanks,

Mimi
Re: [PATCH 0/2] ima: add dont_audit and fs_subtype to policy language
Posted by Jann Horn 4 months, 1 week ago 
On Tue, Sep 30, 2025 at 12:23 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> On Fri, 2025-09-26 at 01:45 +0200, Jann Horn wrote:
> > This series adds a "dont_audit" action that cancels out following
> > "audit" actions (as we already have for other action types), and also
> > adds an "fs_subtype" that can be used to distinguish between FUSE
> > filesystems.
> >
> > With these two patches applied, as a toy example, you can use the
> > following policy:
> > ```
> > dont_audit fsname=fuse fs_subtype=sshfs
> > audit func=BPRM_CHECK fsname=fuse
> > ```
> >
> > I have tested that with this policy, executing a binary from a
> > "fuse-zip" FUSE filesystem results in an audit log entry:
> > ```
> > type=INTEGRITY_RULE msg=audit([...]): file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...]
> > ```
> > while executing a binary from an "sshfs" FUSE filesystem does not
> > generate any audit log entries.
> >
> > Signed-off-by: Jann Horn <jannh@google.com>
>
>
> Thanks, Jann.  The patches look fine.  Assuming the "toy" test program creates
> and mounts the fuse filesystems, not just loads the IMA policy rules, could you
> share it?

Thanks for the quick review! To clarify, by "toy example" I meant that
while I was using real FUSE filesystems, the policy I was using is not
very sensible.

I used real FUSE filesystems for this since I figured that would be
the easiest way to test, https://github.com/libfuse/sshfs and
https://bitbucket.org/agalanin/fuse-zip. These are packaged in distros
like Debian (as "sshfs" and "fuse-zip"). I mounted sshfs with these
commands (mounting the home directory over ssh at ~/mnt/ssh):

user@vm:~$ cp /usr/bin/echo ~/ima/
user@vm:~$ sshfs localhost: ~/mnt/ssh

and mounted fuse-zip with:

user@vm:~/ima$ zip -rD echo.zip /usr/bin/echo
  adding: usr/bin/echo (deflated 62%)
user@vm:~/ima$ mkdir zipmount
user@vm:~/ima$ fuse-zip echo.zip zipmount/

I then ran the executables ~/ima/zipmount/usr/bin/echo and ~/mnt/ssh/ima/echo.
Re: [PATCH 0/2] ima: add dont_audit and fs_subtype to policy language
Posted by Mimi Zohar 3 months, 3 weeks ago 
On Tue, 2025-09-30 at 16:26 +0200, Jann Horn wrote:
> On Tue, Sep 30, 2025 at 12:23 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> > On Fri, 2025-09-26 at 01:45 +0200, Jann Horn wrote:
> > > This series adds a "dont_audit" action that cancels out following
> > > "audit" actions (as we already have for other action types), and also
> > > adds an "fs_subtype" that can be used to distinguish between FUSE
> > > filesystems.
> > > 
> > > With these two patches applied, as a toy example, you can use the
> > > following policy:
> > > ```
> > > dont_audit fsname=fuse fs_subtype=sshfs
> > > audit func=BPRM_CHECK fsname=fuse
> > > ```
> > > 
> > > I have tested that with this policy, executing a binary from a
> > > "fuse-zip" FUSE filesystem results in an audit log entry:
> > > ```
> > > type=INTEGRITY_RULE msg=audit([...]): file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...]
> > > ```
> > > while executing a binary from an "sshfs" FUSE filesystem does not
> > > generate any audit log entries.
> > > 
> > > Signed-off-by: Jann Horn <jannh@google.com>
> > 
> > 
> > Thanks, Jann.  The patches look fine.  Assuming the "toy" test program creates
> > and mounts the fuse filesystems, not just loads the IMA policy rules, could you
> > share it?
> 
> Thanks for the quick review! To clarify, by "toy example" I meant that
> while I was using real FUSE filesystems, the policy I was using is not
> very sensible.
> 
> I used real FUSE filesystems for this since I figured that would be
> the easiest way to test, https://github.com/libfuse/sshfs and
> https://bitbucket.org/agalanin/fuse-zip. These are packaged in distros
> like Debian (as "sshfs" and "fuse-zip"). I mounted sshfs with these
> commands (mounting the home directory over ssh at ~/mnt/ssh):
> 
> user@vm:~$ cp /usr/bin/echo ~/ima/
> user@vm:~$ sshfs localhost: ~/mnt/ssh
> 
> and mounted fuse-zip with:
> 
> user@vm:~/ima$ zip -rD echo.zip /usr/bin/echo
>   adding: usr/bin/echo (deflated 62%)
> user@vm:~/ima$ mkdir zipmount
> user@vm:~/ima$ fuse-zip echo.zip zipmount/
> 
> I then ran the executables ~/ima/zipmount/usr/bin/echo and ~/mnt/ssh/ima/echo.

Thank you for the instructions.  Due to the holidays, there was a delay. The
patches are now queued in next-integrity for 6.19.

Mimi
Re: [PATCH 0/2] ima: add dont_audit and fs_subtype to policy language
Posted by Jann Horn 3 months, 3 weeks ago 
On Thu, Oct 16, 2025 at 5:52 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> On Tue, 2025-09-30 at 16:26 +0200, Jann Horn wrote:
> > On Tue, Sep 30, 2025 at 12:23 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> > > On Fri, 2025-09-26 at 01:45 +0200, Jann Horn wrote:
> > > > This series adds a "dont_audit" action that cancels out following
> > > > "audit" actions (as we already have for other action types), and also
> > > > adds an "fs_subtype" that can be used to distinguish between FUSE
> > > > filesystems.
> > > >
> > > > With these two patches applied, as a toy example, you can use the
> > > > following policy:
> > > > ```
> > > > dont_audit fsname=fuse fs_subtype=sshfs
> > > > audit func=BPRM_CHECK fsname=fuse
> > > > ```
> > > >
> > > > I have tested that with this policy, executing a binary from a
> > > > "fuse-zip" FUSE filesystem results in an audit log entry:
> > > > ```
> > > > type=INTEGRITY_RULE msg=audit([...]): file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...]
> > > > ```
> > > > while executing a binary from an "sshfs" FUSE filesystem does not
> > > > generate any audit log entries.
> > > >
> > > > Signed-off-by: Jann Horn <jannh@google.com>
> > >
> > >
> > > Thanks, Jann.  The patches look fine.  Assuming the "toy" test program creates
> > > and mounts the fuse filesystems, not just loads the IMA policy rules, could you
> > > share it?
> >
> > Thanks for the quick review! To clarify, by "toy example" I meant that
> > while I was using real FUSE filesystems, the policy I was using is not
> > very sensible.
> >
> > I used real FUSE filesystems for this since I figured that would be
> > the easiest way to test, https://github.com/libfuse/sshfs and
> > https://bitbucket.org/agalanin/fuse-zip. These are packaged in distros
> > like Debian (as "sshfs" and "fuse-zip"). I mounted sshfs with these
> > commands (mounting the home directory over ssh at ~/mnt/ssh):
> >
> > user@vm:~$ cp /usr/bin/echo ~/ima/
> > user@vm:~$ sshfs localhost: ~/mnt/ssh
> >
> > and mounted fuse-zip with:
> >
> > user@vm:~/ima$ zip -rD echo.zip /usr/bin/echo
> >   adding: usr/bin/echo (deflated 62%)
> > user@vm:~/ima$ mkdir zipmount
> > user@vm:~/ima$ fuse-zip echo.zip zipmount/
> >
> > I then ran the executables ~/ima/zipmount/usr/bin/echo and ~/mnt/ssh/ima/echo.
>
> Thank you for the instructions.  Due to the holidays, there was a delay. The
> patches are now queued in next-integrity for 6.19.

Thanks a lot!

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.