1. Patchew
  2. linux
  3. View series

[PATCH 0/2] ima: add dont_audit and fs_subtype to policy language

Jann Horn posted 2 patches 5 days, 23 hours ago 
Documentation/ABI/testing/ima_policy |  3 +-
security/integrity/ima/ima_policy.c  | 57 ++++++++++++++++++++++++++++++++----
2 files changed, 54 insertions(+), 6 deletions(-)
[PATCH 0/2] ima: add dont_audit and fs_subtype to policy language
Posted by Jann Horn 5 days, 23 hours ago 
This series adds a "dont_audit" action that cancels out following
"audit" actions (as we already have for other action types), and also
adds an "fs_subtype" that can be used to distinguish between FUSE
filesystems.

With these two patches applied, as a toy example, you can use the
following policy:
```
dont_audit fsname=fuse fs_subtype=sshfs
audit func=BPRM_CHECK fsname=fuse
```

I have tested that with this policy, executing a binary from a
"fuse-zip" FUSE filesystem results in an audit log entry:
```
type=INTEGRITY_RULE msg=audit([...]): file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...]
```
while executing a binary from an "sshfs" FUSE filesystem does not
generate any audit log entries.

Signed-off-by: Jann Horn <jannh@google.com>
---
Jann Horn (2):
      ima: add dont_audit action to suppress audit actions
      ima: add fs_subtype condition for distinguishing FUSE instances

 Documentation/ABI/testing/ima_policy |  3 +-
 security/integrity/ima/ima_policy.c  | 57 ++++++++++++++++++++++++++++++++----
 2 files changed, 54 insertions(+), 6 deletions(-)
---
base-commit: 00642a06d60c897a8348784e1eee9e5369219ce5
change-id: 20250925-ima-audit-8bd219dcc6f6

--  
Jann Horn <jannh@google.com>
Re: [PATCH 0/2] ima: add dont_audit and fs_subtype to policy language
Posted by Mimi Zohar 1 day, 13 hours ago 
On Fri, 2025-09-26 at 01:45 +0200, Jann Horn wrote:
> This series adds a "dont_audit" action that cancels out following
> "audit" actions (as we already have for other action types), and also
> adds an "fs_subtype" that can be used to distinguish between FUSE
> filesystems.
> 
> With these two patches applied, as a toy example, you can use the
> following policy:
> ```
> dont_audit fsname=fuse fs_subtype=sshfs
> audit func=BPRM_CHECK fsname=fuse
> ```
> 
> I have tested that with this policy, executing a binary from a
> "fuse-zip" FUSE filesystem results in an audit log entry:
> ```
> type=INTEGRITY_RULE msg=audit([...]): file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...]
> ```
> while executing a binary from an "sshfs" FUSE filesystem does not
> generate any audit log entries.
> 
> Signed-off-by: Jann Horn <jannh@google.com>


Thanks, Jann.  The patches look fine.  Assuming the "toy" test program creates
and mounts the fuse filesystems, not just loads the IMA policy rules, could you
share it?

thanks,

Mimi
Re: [PATCH 0/2] ima: add dont_audit and fs_subtype to policy language
Posted by Jann Horn 1 day, 9 hours ago 
On Tue, Sep 30, 2025 at 12:23 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> On Fri, 2025-09-26 at 01:45 +0200, Jann Horn wrote:
> > This series adds a "dont_audit" action that cancels out following
> > "audit" actions (as we already have for other action types), and also
> > adds an "fs_subtype" that can be used to distinguish between FUSE
> > filesystems.
> >
> > With these two patches applied, as a toy example, you can use the
> > following policy:
> > ```
> > dont_audit fsname=fuse fs_subtype=sshfs
> > audit func=BPRM_CHECK fsname=fuse
> > ```
> >
> > I have tested that with this policy, executing a binary from a
> > "fuse-zip" FUSE filesystem results in an audit log entry:
> > ```
> > type=INTEGRITY_RULE msg=audit([...]): file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...]
> > ```
> > while executing a binary from an "sshfs" FUSE filesystem does not
> > generate any audit log entries.
> >
> > Signed-off-by: Jann Horn <jannh@google.com>
>
>
> Thanks, Jann.  The patches look fine.  Assuming the "toy" test program creates
> and mounts the fuse filesystems, not just loads the IMA policy rules, could you
> share it?

Thanks for the quick review! To clarify, by "toy example" I meant that
while I was using real FUSE filesystems, the policy I was using is not
very sensible.

I used real FUSE filesystems for this since I figured that would be
the easiest way to test, https://github.com/libfuse/sshfs and
https://bitbucket.org/agalanin/fuse-zip. These are packaged in distros
like Debian (as "sshfs" and "fuse-zip"). I mounted sshfs with these
commands (mounting the home directory over ssh at ~/mnt/ssh):

user@vm:~$ cp /usr/bin/echo ~/ima/
user@vm:~$ sshfs localhost: ~/mnt/ssh

and mounted fuse-zip with:

user@vm:~/ima$ zip -rD echo.zip /usr/bin/echo
  adding: usr/bin/echo (deflated 62%)
user@vm:~/ima$ mkdir zipmount
user@vm:~/ima$ fuse-zip echo.zip zipmount/

I then ran the executables ~/ima/zipmount/usr/bin/echo and ~/mnt/ssh/ima/echo.

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.