[PATCH 0/2] ima: add dont_audit and fs_subtype to policy language

[PATCH 0/2] ima: add dont_audit and fs_subtype to policy language

[Jann Horn]

This series adds a "dont_audit" action that cancels out following
"audit" actions (as we already have for other action types), and also
adds an "fs_subtype" that can be used to distinguish between FUSE
filesystems.

With these two patches applied, as a toy example, you can use the
following policy:
```
dont_audit fsname=fuse fs_subtype=sshfs
audit func=BPRM_CHECK fsname=fuse
```

I have tested that with this policy, executing a binary from a
"fuse-zip" FUSE filesystem results in an audit log entry:
```
type=INTEGRITY_RULE msg=audit([...]): file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...]
```
while executing a binary from an "sshfs" FUSE filesystem does not
generate any audit log entries.

Signed-off-by: Jann Horn <jannh@google.com>
---
Jann Horn (2):
      ima: add dont_audit action to suppress audit actions
      ima: add fs_subtype condition for distinguishing FUSE instances

 Documentation/ABI/testing/ima_policy |  3 +-
 security/integrity/ima/ima_policy.c  | 57 ++++++++++++++++++++++++++++++++----
 2 files changed, 54 insertions(+), 6 deletions(-)
---
base-commit: 00642a06d60c897a8348784e1eee9e5369219ce5
change-id: 20250925-ima-audit-8bd219dcc6f6

--  
Jann Horn <jannh@google.com>

[PATCH 1/2] ima: add dont_audit action to suppress audit actions

[Jann Horn]

"measure", "appraise" and "hash" actions all have corresponding "dont_*"
actions, but "audit" currently lacks that. This means it is not
currently possible to have a policy that audits everything by default,
but excludes specific cases.

This seems to have been an oversight back when the "audit" action was
added.

Add a corresponding "dont_audit" action to enable such uses.

Signed-off-by: Jann Horn <jannh@google.com>
---
 Documentation/ABI/testing/ima_policy |  2 +-
 security/integrity/ima/ima_policy.c  | 14 +++++++++++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index c2385183826c..5d548dd2c6e7 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -20,7 +20,7 @@ Description:
 		  rule format: action [condition ...]
 
 		  action: measure | dont_measure | appraise | dont_appraise |
-			  audit | hash | dont_hash
+			  audit | dont_audit | hash | dont_hash
 		  condition:= base | lsm  [option]
 			base:	[[func=] [mask=] [fsmagic=] [fsuuid=] [fsname=]
 				[uid=] [euid=] [gid=] [egid=]
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 128fab897930..c5bad3a0c43a 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -45,6 +45,7 @@
 #define APPRAISE	0x0004	/* same as IMA_APPRAISE */
 #define DONT_APPRAISE	0x0008
 #define AUDIT		0x0040
+#define DONT_AUDIT	0x0080
 #define HASH		0x0100
 #define DONT_HASH	0x0200
 
@@ -1064,7 +1065,7 @@ void ima_update_policy(void)
 enum policy_opt {
 	Opt_measure, Opt_dont_measure,
 	Opt_appraise, Opt_dont_appraise,
-	Opt_audit, Opt_hash, Opt_dont_hash,
+	Opt_audit, Opt_dont_audit, Opt_hash, Opt_dont_hash,
 	Opt_obj_user, Opt_obj_role, Opt_obj_type,
 	Opt_subj_user, Opt_subj_role, Opt_subj_type,
 	Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, Opt_fsuuid,
@@ -1086,6 +1087,7 @@ static const match_table_t policy_tokens = {
 	{Opt_appraise, "appraise"},
 	{Opt_dont_appraise, "dont_appraise"},
 	{Opt_audit, "audit"},
+	{Opt_dont_audit, "dont_audit"},
 	{Opt_hash, "hash"},
 	{Opt_dont_hash, "dont_hash"},
 	{Opt_obj_user, "obj_user=%s"},
@@ -1478,6 +1480,14 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 
 			entry->action = AUDIT;
 			break;
+		case Opt_dont_audit:
+			ima_log_string(ab, "action", "dont_audit");
+
+			if (entry->action != UNKNOWN)
+				result = -EINVAL;
+
+			entry->action = DONT_AUDIT;
+			break;
 		case Opt_hash:
 			ima_log_string(ab, "action", "hash");
 
@@ -2097,6 +2107,8 @@ int ima_policy_show(struct seq_file *m, void *v)
 		seq_puts(m, pt(Opt_dont_appraise));
 	if (entry->action & AUDIT)
 		seq_puts(m, pt(Opt_audit));
+	if (entry->action & DONT_AUDIT)
+		seq_puts(m, pt(Opt_dont_audit));
 	if (entry->action & HASH)
 		seq_puts(m, pt(Opt_hash));
 	if (entry->action & DONT_HASH)

-- 
2.51.0.536.g15c5d4f767-goog

[PATCH 2/2] ima: add fs_subtype condition for distinguishing FUSE instances

[Jann Horn]

Linux systems often use FUSE for several different purposes, where the
contents of some FUSE instances can be of more interest for auditing
than others.

Allow distinguishing between them based on the filesystem subtype
(s_subtype) using the new condition "fs_subtype".

The subtype string is supplied by userspace FUSE daemons
when a FUSE connection is initialized, so policy authors who want to
filter based on subtype need to ensure that FUSE mount operations are
sufficiently audited or restricted.

Signed-off-by: Jann Horn <jannh@google.com>
---
 Documentation/ABI/testing/ima_policy |  1 +
 security/integrity/ima/ima_policy.c  | 43 ++++++++++++++++++++++++++++++++----
 2 files changed, 40 insertions(+), 4 deletions(-)

diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index 5d548dd2c6e7..d4b3696a9efb 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -23,6 +23,7 @@ Description:
 			  audit | dont_audit | hash | dont_hash
 		  condition:= base | lsm  [option]
 			base:	[[func=] [mask=] [fsmagic=] [fsuuid=] [fsname=]
+				[fs_subtype=]
 				[uid=] [euid=] [gid=] [egid=]
 				[fowner=] [fgroup=]]
 			lsm:	[[subj_user=] [subj_role=] [subj_type=]
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index c5bad3a0c43a..164d62832f8e 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -38,6 +38,7 @@
 #define IMA_GID		0x2000
 #define IMA_EGID	0x4000
 #define IMA_FGROUP	0x8000
+#define IMA_FS_SUBTYPE	0x10000
 
 #define UNKNOWN		0
 #define MEASURE		0x0001	/* same as IMA_MEASURE */
@@ -120,6 +121,7 @@ struct ima_rule_entry {
 		int type;	/* audit type */
 	} lsm[MAX_LSM_RULES];
 	char *fsname;
+	char *fs_subtype;
 	struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */
 	struct ima_rule_opt_list *label; /* Measure data grouped under this label */
 	struct ima_template_desc *template;
@@ -398,6 +400,7 @@ static void ima_free_rule(struct ima_rule_entry *entry)
 	 * the defined_templates list and cannot be freed here
 	 */
 	kfree(entry->fsname);
+	kfree(entry->fs_subtype);
 	ima_free_rule_opt_list(entry->keyrings);
 	ima_lsm_free_rule(entry);
 	kfree(entry);
@@ -602,6 +605,12 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
 	if ((rule->flags & IMA_FSNAME)
 	    && strcmp(rule->fsname, inode->i_sb->s_type->name))
 		return false;
+	if (rule->flags & IMA_FS_SUBTYPE) {
+		if (!inode->i_sb->s_subtype)
+			return false;
+		if (strcmp(rule->fs_subtype, inode->i_sb->s_subtype))
+			return false;
+	}
 	if ((rule->flags & IMA_FSUUID) &&
 	    !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))
 		return false;
@@ -1068,7 +1077,7 @@ enum policy_opt {
 	Opt_audit, Opt_dont_audit, Opt_hash, Opt_dont_hash,
 	Opt_obj_user, Opt_obj_role, Opt_obj_type,
 	Opt_subj_user, Opt_subj_role, Opt_subj_type,
-	Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, Opt_fsuuid,
+	Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, Opt_fs_subtype, Opt_fsuuid,
 	Opt_uid_eq, Opt_euid_eq, Opt_gid_eq, Opt_egid_eq,
 	Opt_fowner_eq, Opt_fgroup_eq,
 	Opt_uid_gt, Opt_euid_gt, Opt_gid_gt, Opt_egid_gt,
@@ -1100,6 +1109,7 @@ static const match_table_t policy_tokens = {
 	{Opt_mask, "mask=%s"},
 	{Opt_fsmagic, "fsmagic=%s"},
 	{Opt_fsname, "fsname=%s"},
+	{Opt_fs_subtype, "fs_subtype=%s"},
 	{Opt_fsuuid, "fsuuid=%s"},
 	{Opt_uid_eq, "uid=%s"},
 	{Opt_euid_eq, "euid=%s"},
@@ -1284,7 +1294,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
 		if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
 				     IMA_UID | IMA_FOWNER | IMA_FSUUID |
 				     IMA_INMASK | IMA_EUID | IMA_PCR |
-				     IMA_FSNAME | IMA_GID | IMA_EGID |
+				     IMA_FSNAME | IMA_FS_SUBTYPE |
+				     IMA_GID | IMA_EGID |
 				     IMA_FGROUP | IMA_DIGSIG_REQUIRED |
 				     IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS |
 				     IMA_CHECK_BLACKLIST | IMA_VERITY_REQUIRED))
@@ -1297,7 +1308,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
 		if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
 				     IMA_UID | IMA_FOWNER | IMA_FSUUID |
 				     IMA_INMASK | IMA_EUID | IMA_PCR |
-				     IMA_FSNAME | IMA_GID | IMA_EGID |
+				     IMA_FSNAME | IMA_FS_SUBTYPE |
+				     IMA_GID | IMA_EGID |
 				     IMA_FGROUP | IMA_DIGSIG_REQUIRED |
 				     IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED |
 				     IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS))
@@ -1310,7 +1322,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
 
 		if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID |
 				     IMA_FOWNER | IMA_FSUUID | IMA_EUID |
-				     IMA_PCR | IMA_FSNAME | IMA_GID | IMA_EGID |
+				     IMA_PCR | IMA_FSNAME | IMA_FS_SUBTYPE |
+				     IMA_GID | IMA_EGID |
 				     IMA_FGROUP))
 			return false;
 
@@ -1597,6 +1610,22 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 			result = 0;
 			entry->flags |= IMA_FSNAME;
 			break;
+		case Opt_fs_subtype:
+			ima_log_string(ab, "fs_subtype", args[0].from);
+
+			if (entry->fs_subtype) {
+				result = -EINVAL;
+				break;
+			}
+
+			entry->fs_subtype = kstrdup(args[0].from, GFP_KERNEL);
+			if (!entry->fs_subtype) {
+				result = -ENOMEM;
+				break;
+			}
+			result = 0;
+			entry->flags |= IMA_FS_SUBTYPE;
+			break;
 		case Opt_keyrings:
 			ima_log_string(ab, "keyrings", args[0].from);
 
@@ -2145,6 +2174,12 @@ int ima_policy_show(struct seq_file *m, void *v)
 		seq_puts(m, " ");
 	}
 
+	if (entry->flags & IMA_FS_SUBTYPE) {
+		snprintf(tbuf, sizeof(tbuf), "%s", entry->fs_subtype);
+		seq_printf(m, pt(Opt_fs_subtype), tbuf);
+		seq_puts(m, " ");
+	}
+
 	if (entry->flags & IMA_KEYRINGS) {
 		seq_puts(m, "keyrings=");
 		ima_show_rule_opt_list(m, entry->keyrings);

-- 
2.51.0.536.g15c5d4f767-goog

Re: [PATCH 0/2] ima: add dont_audit and fs_subtype to policy language

[Mimi Zohar]

On Fri, 2025-09-26 at 01:45 +0200, Jann Horn wrote:
> This series adds a "dont_audit" action that cancels out following
> "audit" actions (as we already have for other action types), and also
> adds an "fs_subtype" that can be used to distinguish between FUSE
> filesystems.
> 
> With these two patches applied, as a toy example, you can use the
> following policy:
> ```
> dont_audit fsname=fuse fs_subtype=sshfs
> audit func=BPRM_CHECK fsname=fuse
> ```
> 
> I have tested that with this policy, executing a binary from a
> "fuse-zip" FUSE filesystem results in an audit log entry:
> ```
> type=INTEGRITY_RULE msg=audit([...]): file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...]
> ```
> while executing a binary from an "sshfs" FUSE filesystem does not
> generate any audit log entries.
> 
> Signed-off-by: Jann Horn <jannh@google.com>


Thanks, Jann.  The patches look fine.  Assuming the "toy" test program creates
and mounts the fuse filesystems, not just loads the IMA policy rules, could you
share it?

thanks,

Mimi

Re: [PATCH 0/2] ima: add dont_audit and fs_subtype to policy language

[Jann Horn]

On Tue, Sep 30, 2025 at 12:23 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> On Fri, 2025-09-26 at 01:45 +0200, Jann Horn wrote:
> > This series adds a "dont_audit" action that cancels out following
> > "audit" actions (as we already have for other action types), and also
> > adds an "fs_subtype" that can be used to distinguish between FUSE
> > filesystems.
> >
> > With these two patches applied, as a toy example, you can use the
> > following policy:
> > ```
> > dont_audit fsname=fuse fs_subtype=sshfs
> > audit func=BPRM_CHECK fsname=fuse
> > ```
> >
> > I have tested that with this policy, executing a binary from a
> > "fuse-zip" FUSE filesystem results in an audit log entry:
> > ```
> > type=INTEGRITY_RULE msg=audit([...]): file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...]
> > ```
> > while executing a binary from an "sshfs" FUSE filesystem does not
> > generate any audit log entries.
> >
> > Signed-off-by: Jann Horn <jannh@google.com>
>
>
> Thanks, Jann.  The patches look fine.  Assuming the "toy" test program creates
> and mounts the fuse filesystems, not just loads the IMA policy rules, could you
> share it?

Thanks for the quick review! To clarify, by "toy example" I meant that
while I was using real FUSE filesystems, the policy I was using is not
very sensible.

I used real FUSE filesystems for this since I figured that would be
the easiest way to test, https://github.com/libfuse/sshfs and
https://bitbucket.org/agalanin/fuse-zip. These are packaged in distros
like Debian (as "sshfs" and "fuse-zip"). I mounted sshfs with these
commands (mounting the home directory over ssh at ~/mnt/ssh):

user@vm:~$ cp /usr/bin/echo ~/ima/
user@vm:~$ sshfs localhost: ~/mnt/ssh

and mounted fuse-zip with:

user@vm:~/ima$ zip -rD echo.zip /usr/bin/echo
  adding: usr/bin/echo (deflated 62%)
user@vm:~/ima$ mkdir zipmount
user@vm:~/ima$ fuse-zip echo.zip zipmount/

I then ran the executables ~/ima/zipmount/usr/bin/echo and ~/mnt/ssh/ima/echo.

Re: [PATCH 0/2] ima: add dont_audit and fs_subtype to policy language

[Mimi Zohar]

On Tue, 2025-09-30 at 16:26 +0200, Jann Horn wrote:
> On Tue, Sep 30, 2025 at 12:23 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> > On Fri, 2025-09-26 at 01:45 +0200, Jann Horn wrote:
> > > This series adds a "dont_audit" action that cancels out following
> > > "audit" actions (as we already have for other action types), and also
> > > adds an "fs_subtype" that can be used to distinguish between FUSE
> > > filesystems.
> > > 
> > > With these two patches applied, as a toy example, you can use the
> > > following policy:
> > > ```
> > > dont_audit fsname=fuse fs_subtype=sshfs
> > > audit func=BPRM_CHECK fsname=fuse
> > > ```
> > > 
> > > I have tested that with this policy, executing a binary from a
> > > "fuse-zip" FUSE filesystem results in an audit log entry:
> > > ```
> > > type=INTEGRITY_RULE msg=audit([...]): file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...]
> > > ```
> > > while executing a binary from an "sshfs" FUSE filesystem does not
> > > generate any audit log entries.
> > > 
> > > Signed-off-by: Jann Horn <jannh@google.com>
> > 
> > 
> > Thanks, Jann.  The patches look fine.  Assuming the "toy" test program creates
> > and mounts the fuse filesystems, not just loads the IMA policy rules, could you
> > share it?
> 
> Thanks for the quick review! To clarify, by "toy example" I meant that
> while I was using real FUSE filesystems, the policy I was using is not
> very sensible.
> 
> I used real FUSE filesystems for this since I figured that would be
> the easiest way to test, https://github.com/libfuse/sshfs and
> https://bitbucket.org/agalanin/fuse-zip. These are packaged in distros
> like Debian (as "sshfs" and "fuse-zip"). I mounted sshfs with these
> commands (mounting the home directory over ssh at ~/mnt/ssh):
> 
> user@vm:~$ cp /usr/bin/echo ~/ima/
> user@vm:~$ sshfs localhost: ~/mnt/ssh
> 
> and mounted fuse-zip with:
> 
> user@vm:~/ima$ zip -rD echo.zip /usr/bin/echo
>   adding: usr/bin/echo (deflated 62%)
> user@vm:~/ima$ mkdir zipmount
> user@vm:~/ima$ fuse-zip echo.zip zipmount/
> 
> I then ran the executables ~/ima/zipmount/usr/bin/echo and ~/mnt/ssh/ima/echo.

Thank you for the instructions.  Due to the holidays, there was a delay. The
patches are now queued in next-integrity for 6.19.

Mimi

Re: [PATCH 0/2] ima: add dont_audit and fs_subtype to policy language

[Jann Horn]

On Thu, Oct 16, 2025 at 5:52 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> On Tue, 2025-09-30 at 16:26 +0200, Jann Horn wrote:
> > On Tue, Sep 30, 2025 at 12:23 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> > > On Fri, 2025-09-26 at 01:45 +0200, Jann Horn wrote:
> > > > This series adds a "dont_audit" action that cancels out following
> > > > "audit" actions (as we already have for other action types), and also
> > > > adds an "fs_subtype" that can be used to distinguish between FUSE
> > > > filesystems.
> > > >
> > > > With these two patches applied, as a toy example, you can use the
> > > > following policy:
> > > > ```
> > > > dont_audit fsname=fuse fs_subtype=sshfs
> > > > audit func=BPRM_CHECK fsname=fuse
> > > > ```
> > > >
> > > > I have tested that with this policy, executing a binary from a
> > > > "fuse-zip" FUSE filesystem results in an audit log entry:
> > > > ```
> > > > type=INTEGRITY_RULE msg=audit([...]): file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...]
> > > > ```
> > > > while executing a binary from an "sshfs" FUSE filesystem does not
> > > > generate any audit log entries.
> > > >
> > > > Signed-off-by: Jann Horn <jannh@google.com>
> > >
> > >
> > > Thanks, Jann.  The patches look fine.  Assuming the "toy" test program creates
> > > and mounts the fuse filesystems, not just loads the IMA policy rules, could you
> > > share it?
> >
> > Thanks for the quick review! To clarify, by "toy example" I meant that
> > while I was using real FUSE filesystems, the policy I was using is not
> > very sensible.
> >
> > I used real FUSE filesystems for this since I figured that would be
> > the easiest way to test, https://github.com/libfuse/sshfs and
> > https://bitbucket.org/agalanin/fuse-zip. These are packaged in distros
> > like Debian (as "sshfs" and "fuse-zip"). I mounted sshfs with these
> > commands (mounting the home directory over ssh at ~/mnt/ssh):
> >
> > user@vm:~$ cp /usr/bin/echo ~/ima/
> > user@vm:~$ sshfs localhost: ~/mnt/ssh
> >
> > and mounted fuse-zip with:
> >
> > user@vm:~/ima$ zip -rD echo.zip /usr/bin/echo
> >   adding: usr/bin/echo (deflated 62%)
> > user@vm:~/ima$ mkdir zipmount
> > user@vm:~/ima$ fuse-zip echo.zip zipmount/
> >
> > I then ran the executables ~/ima/zipmount/usr/bin/echo and ~/mnt/ssh/ima/echo.
>
> Thank you for the instructions.  Due to the holidays, there was a delay. The
> patches are now queued in next-integrity for 6.19.

Thanks a lot!

Re: [PATCH 0/2] ima: add dont_audit and fs_subtype to policy language

[Jann Horn]

Hi!

On Tue, Sep 30, 2025 at 12:23 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> On Fri, 2025-09-26 at 01:45 +0200, Jann Horn wrote:
> > This series adds a "dont_audit" action that cancels out following
> > "audit" actions (as we already have for other action types), and also
> > adds an "fs_subtype" that can be used to distinguish between FUSE
> > filesystems.
> >
> > With these two patches applied, as a toy example, you can use the
> > following policy:
> > ```
> > dont_audit fsname=fuse fs_subtype=sshfs
> > audit func=BPRM_CHECK fsname=fuse
> > ```
> >
> > I have tested that with this policy, executing a binary from a
> > "fuse-zip" FUSE filesystem results in an audit log entry:
> > ```
> > type=INTEGRITY_RULE msg=audit([...]): file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...]
> > ```
> > while executing a binary from an "sshfs" FUSE filesystem does not
> > generate any audit log entries.
> >
> > Signed-off-by: Jann Horn <jannh@google.com>
>
>
> Thanks, Jann.  The patches look fine.

What's the next step here - are the patches going to land in the
next-integrity branch, so that they will go into 6.19?