From nobody Thu Oct 2 01:01:47 2025 Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DA20B78F39 for ; Thu, 25 Sep 2025 23:45:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758843925; cv=none; b=lcdccUYFubPjyq1sxDJ31lRbeO57R8SrIR6A7k/99GOou32qvCaxYJZY2bAv6cA/QX827B1egkIr5KPfjMYqKm4hSMkdZ7oxmiGwiFpnbRjTfjcaApstai8vynV3Hwsir+XQRYVi+Cd1Hora9gnlEqZuSEiQdHxrVGra1GCMKkk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758843925; c=relaxed/simple; bh=qnzcSqkrw05lFjyonOVGGDH1fyI94qn3kHI5lWyeGfs=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Jj0+DzhI5MSbSoHtdPmu+ljZp8cvm4P9OnweSgQZuu44QxgedcueHm+RC+tZrrR2lNYY7ON9ggatUJDAPCY2QsuhIimNEzXegcxOIlljXUxkrNCA79vGHf2LnZisJZ82Bs8WVvmy4YoK4GzdHsWDaEOpkhade+G7eSY+Rw0ICnM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=FVBmFKgR; arc=none smtp.client-ip=209.85.128.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="FVBmFKgR" Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-45f2f894632so30275e9.0 for ; Thu, 25 Sep 2025 16:45:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1758843922; x=1759448722; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=k+/60p2igLHxhXduVxBRgrzlVIOHLKXxhij7umLu7HU=; b=FVBmFKgRSiWKavs2FK96pagDgBR8GumPp2+fIA8XIZLeZPfVIePvH5Rh/PVP5x8BJw Ynu5PduS16zDXWaqrAne10hoA3xYNg3WzQ6JpY1D9nXe2VgPZ3VE3OKiLDf8GSrM8deq jIuI4vdBDLsvX9tVR+5vYQTHvsHztb0m17LszZn8Qq2mykvOmz79ijXophDnKHGU6q72 XT0l0qxonGCsJIl/beLXB9rRAsWqn6a9CvL+Pnxejz2zRFSvwEXdhF23u5oWeGsPI2qQ rvrS+fjfLlXFDVsS9McT9KNk/Jrkq7sd3ufIU/linVb7UInLmM0IuVBeu6IUgH2Fb+6Q LCOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758843922; x=1759448722; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=k+/60p2igLHxhXduVxBRgrzlVIOHLKXxhij7umLu7HU=; b=PzncXZbMUaZEgY9BHGIwSodyRWcd//pZw1aCNPTbCoDfwxpWECjLjytnbV67q5TwW8 Qr8RX4cjLJuCFuVHspUT7O6Qh6r+fdDir7aQ+4Ej1kTcFIYfAolpG8Uq8Pw+Vh2LTGJ5 r+3C9an8lgZlgTesgf2uhJVr/URLRiGhLWsnctHY8ox2t2YNgdJz6n+22goTG4QP17KA CEjA0JwIkEw7Gx3hK+RDbiiPERKhCuctqQyzxsg1caEH2tgk0wdMiA4w/ECLIky0pH2R KbXqMyrcPV2eM1l0+f+hMms/cFoj2a192hWddgQ8wh06uQ7hUMwW1tGXBIs572Pjf92r h7VQ== X-Forwarded-Encrypted: i=1; AJvYcCVF2kTW/l8CqC5qaKHYq0nwkcVLOwCvVEt3Px2q9kH+PU22isLWcVimxYo7siaSQo2Yrj9juxSx7rJuK/0=@vger.kernel.org X-Gm-Message-State: AOJu0YyKhwIYUgKgVuNRQRTSZ3b6AsMyESWCT2ggPpg39BzSS1AWaGBL tsHBW47wnwTaA+7+A0KrIUHBq1k/LVJY2Y9XWVlrs8+aFJG8UOB26EzeURsBiCmWFg== X-Gm-Gg: ASbGncsYrj6UIvC2hU0TFPL2v3W4HCAn7Ux2Zuc07jvwGRidPLbtBFkbW3sCZ9a4NPT LeYuN4e8gEfovngzh9vEiglbQvQqlmkXArZITQXkpWUQL/Le75woGNw6ABp3x/zVDCEvnVCfeiC 4xLWim8xfCD5k3F1IwNDIuOqo4SvBsabjgCs++iMwJOmBI0jpjKycdG+sJNJJKHWENzYACXGNnA MbZXbTgX4iUEXzgvFW60lv/9ZDbfXkVjKRc3NZTMOX10Uh+qIVNg8VODbveKWVMQ4fUI2NboM5T ZA+wiN4y3xRb+lCXFHb/5Rpjvt3iP7xalQf5KwGgSrjge4q1EuKgmXNuxDx4dqeYPR9xKaQgAk8 DsyGRhw11KMxkOfV0cbZGduta22w= X-Google-Smtp-Source: AGHT+IEI1KfavPKBZUkfMpl0ut11FyDudWgx4jPvjefzfrIyZcrrL6+wiJ9w8Z8vTR/+ZXY7evgJfw== X-Received: by 2002:a05:600c:c112:b0:45a:2861:3625 with SMTP id 5b1f17b1804b1-46e3b014890mr435905e9.4.1758843921935; Thu, 25 Sep 2025 16:45:21 -0700 (PDT) Received: from localhost ([2a00:79e0:9d:4:802b:ac1b:7bf0:4c9a]) by smtp.gmail.com with UTF8SMTPSA id ffacd0b85a97d-40fc88b0779sm4547044f8f.58.2025.09.25.16.45.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Sep 2025 16:45:21 -0700 (PDT) From: Jann Horn Date: Fri, 26 Sep 2025 01:45:06 +0200 Subject: [PATCH 1/2] ima: add dont_audit action to suppress audit actions Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250926-ima-audit-v1-1-64d75fdc8fdc@google.com> References: <20250926-ima-audit-v1-0-64d75fdc8fdc@google.com> In-Reply-To: <20250926-ima-audit-v1-0-64d75fdc8fdc@google.com> To: Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg Cc: Frank Dinoff , linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, Jann Horn X-Mailer: b4 0.15-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1758843915; l=3033; i=jannh@google.com; s=20240730; h=from:subject:message-id; bh=qnzcSqkrw05lFjyonOVGGDH1fyI94qn3kHI5lWyeGfs=; b=WpV3JAso+B4JtzmfkpfNA6IW1wg12HJNMo/QnUy96JxFE53vQ9eNMALgdy1bT0bXMVr2BW2ZV wsPqi/reRJdCOjebvufGVMmZ9JHjorJ6xo4ejdgDnRMzlgtJ0RNJYVq X-Developer-Key: i=jannh@google.com; a=ed25519; pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8= "measure", "appraise" and "hash" actions all have corresponding "dont_*" actions, but "audit" currently lacks that. This means it is not currently possible to have a policy that audits everything by default, but excludes specific cases. This seems to have been an oversight back when the "audit" action was added. Add a corresponding "dont_audit" action to enable such uses. Signed-off-by: Jann Horn --- Documentation/ABI/testing/ima_policy | 2 +- security/integrity/ima/ima_policy.c | 14 +++++++++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testi= ng/ima_policy index c2385183826c..5d548dd2c6e7 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -20,7 +20,7 @@ Description: rule format: action [condition ...] =20 action: measure | dont_measure | appraise | dont_appraise | - audit | hash | dont_hash + audit | dont_audit | hash | dont_hash condition:=3D base | lsm [option] base: [[func=3D] [mask=3D] [fsmagic=3D] [fsuuid=3D] [fsname=3D] [uid=3D] [euid=3D] [gid=3D] [egid=3D] diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/i= ma_policy.c index 128fab897930..c5bad3a0c43a 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -45,6 +45,7 @@ #define APPRAISE 0x0004 /* same as IMA_APPRAISE */ #define DONT_APPRAISE 0x0008 #define AUDIT 0x0040 +#define DONT_AUDIT 0x0080 #define HASH 0x0100 #define DONT_HASH 0x0200 =20 @@ -1064,7 +1065,7 @@ void ima_update_policy(void) enum policy_opt { Opt_measure, Opt_dont_measure, Opt_appraise, Opt_dont_appraise, - Opt_audit, Opt_hash, Opt_dont_hash, + Opt_audit, Opt_dont_audit, Opt_hash, Opt_dont_hash, Opt_obj_user, Opt_obj_role, Opt_obj_type, Opt_subj_user, Opt_subj_role, Opt_subj_type, Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, Opt_fsuuid, @@ -1086,6 +1087,7 @@ static const match_table_t policy_tokens =3D { {Opt_appraise, "appraise"}, {Opt_dont_appraise, "dont_appraise"}, {Opt_audit, "audit"}, + {Opt_dont_audit, "dont_audit"}, {Opt_hash, "hash"}, {Opt_dont_hash, "dont_hash"}, {Opt_obj_user, "obj_user=3D%s"}, @@ -1478,6 +1480,14 @@ static int ima_parse_rule(char *rule, struct ima_rul= e_entry *entry) =20 entry->action =3D AUDIT; break; + case Opt_dont_audit: + ima_log_string(ab, "action", "dont_audit"); + + if (entry->action !=3D UNKNOWN) + result =3D -EINVAL; + + entry->action =3D DONT_AUDIT; + break; case Opt_hash: ima_log_string(ab, "action", "hash"); =20 @@ -2097,6 +2107,8 @@ int ima_policy_show(struct seq_file *m, void *v) seq_puts(m, pt(Opt_dont_appraise)); if (entry->action & AUDIT) seq_puts(m, pt(Opt_audit)); + if (entry->action & DONT_AUDIT) + seq_puts(m, pt(Opt_dont_audit)); if (entry->action & HASH) seq_puts(m, pt(Opt_hash)); if (entry->action & DONT_HASH) --=20 2.51.0.536.g15c5d4f767-goog From nobody Thu Oct 2 01:01:47 2025 Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C188C2E7F2A for ; Thu, 25 Sep 2025 23:45:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758843926; cv=none; b=XKGvCYHPCYn9sItjeyTtwZ8dHvSWSwMrXatZSg4FP4vFn9eiwRByuXIFPMEg3ZZu+y9EVQ76DfsiGhz/HkKAryomVcNL4xm17QEnnNke2EySMLsaXwBBc2p0ps376UMf8vm7xLuQUfxiGJDHbQJ6UGRWYIZEFSBFsYubtJ+aOEo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758843926; c=relaxed/simple; bh=zc5PDYPZ7GdBtFvuYFvu8FWqBQP+b/s/g+l/C+lBL/A=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=fMBkul4IiTrZauqVGW/jqA6p+f4jhpLGhSSiUyR8mF4QWzgtWOPqrz0ZYMpP4J9fKEbqthiHs9yDQzqLtzb2G5jCCsQMkw2Oby+aorklwA6+09P9lHee7Fajw1ruYK+N9yL3suTAIwNVPwtanEeqfZZ7ca749O/lrwTnChEnOdI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=wsUcBhCT; arc=none smtp.client-ip=209.85.128.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="wsUcBhCT" Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-46e32c0e273so15425e9.1 for ; Thu, 25 Sep 2025 16:45:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1758843923; x=1759448723; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=Ol0A50kwMXAn/GaWuyEx9F/yDfrD7aKDcgThOlWqa7k=; b=wsUcBhCT1oZnj1txTqtlOvc7p5CO0IqzefuZ3SyKFGLb2Eqt2VNb2dG9MkwTdnCX53 tR0O+cujtfrqUMOWU8jdrMIFNJEkwhQwbqzp7T+tv4xolIG63GrS7xWPwgiyMgVttNbj IdifOcPEFLYeF2wNyJujtz91pbITuiA7EfeS/vFg4xxv5Ut6NHY3cmRRdGwJZlPVC11v dqe6PQBPzp7xPPQYYXAFTo/UGGpuTiaVIn2U26xbfIDUE+VhtnJnPA/UCq/nhaum3N9e za60WYQtM4ScgeNffqShIskHnVMdPuGqB0X3muKOPAhvCttX1DG4BCxyYDmAqahH+iz8 HUYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758843923; x=1759448723; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Ol0A50kwMXAn/GaWuyEx9F/yDfrD7aKDcgThOlWqa7k=; b=MaqfFb9zOPZ7Qs84RHCjxrm7P5xEpK5iGEMTOsxYdYYHTACe8/YH2lveWZwPVwtRw5 G33YvvINggsLtkYoUlwvIFpSqYxJmUt3QQkrTB6DAu5JK8kZEhKZJPO5KqbVB3ydXC5Q Fam6Fvp3dYjFaXmz8GcaK6DRuZ4LnjvbqHd8II5adKrfEPBMmCnHKy66506EBZes7cro cuGYbp2p0HMr6ZJa0VOXbL6Wzkn+8MQRPyctac/avGpcYL9V64vqxyqZ/LK2g7yzjqIj 7JiptTOqSb0vWTqIDCrNKCiHNnLJQRv3tGPJfGwObz3+vIuNpPl6e3PlglKo6u1quH2b 6zjA== X-Forwarded-Encrypted: i=1; AJvYcCVjb0iNyN4MGeUOtRn8+ckWE06B+hmyW1tkLFQheCWVs2U8f10gaf8VM3LPQXUEod8FMy2F+8ovJveBkr4=@vger.kernel.org X-Gm-Message-State: AOJu0YyN9S4iqkF8KnEnIEsMOyADq4yT4nUXOtq6jAQ/I+P/a7juhedn CMhm4kxv6Usd1uoiWLlL5+dJFL9BNQcdB7NLyvQf0Y6dSWiVe2S3KIzt+KXaLVw0hg== X-Gm-Gg: ASbGncvfuTvoB2yk3D5OSt9yZLxxc2qpYeUU0Whnl1ICkkcj/rml+VVq8EX4JUVM7R9 b1IJE9/z1n+MmHycxpGIXZmppbZ75OL3Nmb7yL+0LhQAKaoa3yLVEmiNjRNdFo2O43joH2EQGSq LTuPphtOEx/51oTq/8i4jp2xZmGt2z6BLStOBfBq7i2StvPEuznyUfUEYkUm3yBrt8dRugiMGsY hePnLAeKEhF07eBOKpf0RtT0w8smAshFjid3OF6jWZhUudXRm1FqLE9rYRTP3mc74rt+0jDWpL4 33OzOVTVe/K7/Dkem31KBkngWQmyclNkNUqNB+wE1rul2oj+NsUHjBel6fHY58CnIwTK7zMG/eG Pth6KY9Hf/Tp7lDLrK4J2K8+V+c1l X-Google-Smtp-Source: AGHT+IEeVIekGoQsa4rT2uNuLKasNfOTdtHTfwRcmmtPgJYSMssBKLy/KQ1C+vnJw/xi7QWtaEQg/w== X-Received: by 2002:a05:600c:6219:b0:45f:2940:d194 with SMTP id 5b1f17b1804b1-46e3af7cb37mr783415e9.2.1758843922890; Thu, 25 Sep 2025 16:45:22 -0700 (PDT) Received: from localhost ([2a00:79e0:9d:4:802b:ac1b:7bf0:4c9a]) by smtp.gmail.com with UTF8SMTPSA id 5b1f17b1804b1-46e33be359dsm49540085e9.13.2025.09.25.16.45.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Sep 2025 16:45:22 -0700 (PDT) From: Jann Horn Date: Fri, 26 Sep 2025 01:45:07 +0200 Subject: [PATCH 2/2] ima: add fs_subtype condition for distinguishing FUSE instances Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250926-ima-audit-v1-2-64d75fdc8fdc@google.com> References: <20250926-ima-audit-v1-0-64d75fdc8fdc@google.com> In-Reply-To: <20250926-ima-audit-v1-0-64d75fdc8fdc@google.com> To: Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg Cc: Frank Dinoff , linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, Jann Horn X-Mailer: b4 0.15-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1758843915; l=5956; i=jannh@google.com; s=20240730; h=from:subject:message-id; bh=zc5PDYPZ7GdBtFvuYFvu8FWqBQP+b/s/g+l/C+lBL/A=; b=I1cM55SBW7Rg1+33aO8Wo7b0pVoP0LwvprwmWHcQ9HccOEFM5xfURqglA10HBLMb4yAyj+/XM 9/0Y5HO09OqCsOcWqz/AfcZloR9j8Iy1QjGxY7Wo9qM6pC/rT5mIg4K X-Developer-Key: i=jannh@google.com; a=ed25519; pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8= Linux systems often use FUSE for several different purposes, where the contents of some FUSE instances can be of more interest for auditing than others. Allow distinguishing between them based on the filesystem subtype (s_subtype) using the new condition "fs_subtype". The subtype string is supplied by userspace FUSE daemons when a FUSE connection is initialized, so policy authors who want to filter based on subtype need to ensure that FUSE mount operations are sufficiently audited or restricted. Signed-off-by: Jann Horn --- Documentation/ABI/testing/ima_policy | 1 + security/integrity/ima/ima_policy.c | 43 ++++++++++++++++++++++++++++++++= ---- 2 files changed, 40 insertions(+), 4 deletions(-) diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testi= ng/ima_policy index 5d548dd2c6e7..d4b3696a9efb 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -23,6 +23,7 @@ Description: audit | dont_audit | hash | dont_hash condition:=3D base | lsm [option] base: [[func=3D] [mask=3D] [fsmagic=3D] [fsuuid=3D] [fsname=3D] + [fs_subtype=3D] [uid=3D] [euid=3D] [gid=3D] [egid=3D] [fowner=3D] [fgroup=3D]] lsm: [[subj_user=3D] [subj_role=3D] [subj_type=3D] diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/i= ma_policy.c index c5bad3a0c43a..164d62832f8e 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -38,6 +38,7 @@ #define IMA_GID 0x2000 #define IMA_EGID 0x4000 #define IMA_FGROUP 0x8000 +#define IMA_FS_SUBTYPE 0x10000 =20 #define UNKNOWN 0 #define MEASURE 0x0001 /* same as IMA_MEASURE */ @@ -120,6 +121,7 @@ struct ima_rule_entry { int type; /* audit type */ } lsm[MAX_LSM_RULES]; char *fsname; + char *fs_subtype; struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrin= gs */ struct ima_rule_opt_list *label; /* Measure data grouped under this label= */ struct ima_template_desc *template; @@ -398,6 +400,7 @@ static void ima_free_rule(struct ima_rule_entry *entry) * the defined_templates list and cannot be freed here */ kfree(entry->fsname); + kfree(entry->fs_subtype); ima_free_rule_opt_list(entry->keyrings); ima_lsm_free_rule(entry); kfree(entry); @@ -602,6 +605,12 @@ static bool ima_match_rules(struct ima_rule_entry *rul= e, if ((rule->flags & IMA_FSNAME) && strcmp(rule->fsname, inode->i_sb->s_type->name)) return false; + if (rule->flags & IMA_FS_SUBTYPE) { + if (!inode->i_sb->s_subtype) + return false; + if (strcmp(rule->fs_subtype, inode->i_sb->s_subtype)) + return false; + } if ((rule->flags & IMA_FSUUID) && !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) return false; @@ -1068,7 +1077,7 @@ enum policy_opt { Opt_audit, Opt_dont_audit, Opt_hash, Opt_dont_hash, Opt_obj_user, Opt_obj_role, Opt_obj_type, Opt_subj_user, Opt_subj_role, Opt_subj_type, - Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, Opt_fsuuid, + Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, Opt_fs_subtype, Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_gid_eq, Opt_egid_eq, Opt_fowner_eq, Opt_fgroup_eq, Opt_uid_gt, Opt_euid_gt, Opt_gid_gt, Opt_egid_gt, @@ -1100,6 +1109,7 @@ static const match_table_t policy_tokens =3D { {Opt_mask, "mask=3D%s"}, {Opt_fsmagic, "fsmagic=3D%s"}, {Opt_fsname, "fsname=3D%s"}, + {Opt_fs_subtype, "fs_subtype=3D%s"}, {Opt_fsuuid, "fsuuid=3D%s"}, {Opt_uid_eq, "uid=3D%s"}, {Opt_euid_eq, "euid=3D%s"}, @@ -1284,7 +1294,8 @@ static bool ima_validate_rule(struct ima_rule_entry *= entry) if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | IMA_UID | IMA_FOWNER | IMA_FSUUID | IMA_INMASK | IMA_EUID | IMA_PCR | - IMA_FSNAME | IMA_GID | IMA_EGID | + IMA_FSNAME | IMA_FS_SUBTYPE | + IMA_GID | IMA_EGID | IMA_FGROUP | IMA_DIGSIG_REQUIRED | IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS | IMA_CHECK_BLACKLIST | IMA_VERITY_REQUIRED)) @@ -1297,7 +1308,8 @@ static bool ima_validate_rule(struct ima_rule_entry *= entry) if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | IMA_UID | IMA_FOWNER | IMA_FSUUID | IMA_INMASK | IMA_EUID | IMA_PCR | - IMA_FSNAME | IMA_GID | IMA_EGID | + IMA_FSNAME | IMA_FS_SUBTYPE | + IMA_GID | IMA_EGID | IMA_FGROUP | IMA_DIGSIG_REQUIRED | IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS)) @@ -1310,7 +1322,8 @@ static bool ima_validate_rule(struct ima_rule_entry *= entry) =20 if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID | IMA_FOWNER | IMA_FSUUID | IMA_EUID | - IMA_PCR | IMA_FSNAME | IMA_GID | IMA_EGID | + IMA_PCR | IMA_FSNAME | IMA_FS_SUBTYPE | + IMA_GID | IMA_EGID | IMA_FGROUP)) return false; =20 @@ -1597,6 +1610,22 @@ static int ima_parse_rule(char *rule, struct ima_rul= e_entry *entry) result =3D 0; entry->flags |=3D IMA_FSNAME; break; + case Opt_fs_subtype: + ima_log_string(ab, "fs_subtype", args[0].from); + + if (entry->fs_subtype) { + result =3D -EINVAL; + break; + } + + entry->fs_subtype =3D kstrdup(args[0].from, GFP_KERNEL); + if (!entry->fs_subtype) { + result =3D -ENOMEM; + break; + } + result =3D 0; + entry->flags |=3D IMA_FS_SUBTYPE; + break; case Opt_keyrings: ima_log_string(ab, "keyrings", args[0].from); =20 @@ -2145,6 +2174,12 @@ int ima_policy_show(struct seq_file *m, void *v) seq_puts(m, " "); } =20 + if (entry->flags & IMA_FS_SUBTYPE) { + snprintf(tbuf, sizeof(tbuf), "%s", entry->fs_subtype); + seq_printf(m, pt(Opt_fs_subtype), tbuf); + seq_puts(m, " "); + } + if (entry->flags & IMA_KEYRINGS) { seq_puts(m, "keyrings=3D"); ima_show_rule_opt_list(m, entry->keyrings); --=20 2.51.0.536.g15c5d4f767-goog