lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250926-ima-audit-v1-0-64d75fdc8fdc@google.com>
Date: Fri, 26 Sep 2025 01:45:05 +0200
From: Jann Horn <jannh@...gle.com>
To: Mimi Zohar <zohar@...ux.ibm.com>, 
 Roberto Sassu <roberto.sassu@...wei.com>, 
 Dmitry Kasatkin <dmitry.kasatkin@...il.com>, 
 Eric Snowberg <eric.snowberg@...cle.com>
Cc: Frank Dinoff <fdinoff@...gle.com>, linux-kernel@...r.kernel.org, 
 linux-integrity@...r.kernel.org, Jann Horn <jannh@...gle.com>
Subject: [PATCH 0/2] ima: add dont_audit and fs_subtype to policy language

This series adds a "dont_audit" action that cancels out following
"audit" actions (as we already have for other action types), and also
adds an "fs_subtype" that can be used to distinguish between FUSE
filesystems.

With these two patches applied, as a toy example, you can use the
following policy:
```
dont_audit fsname=fuse fs_subtype=sshfs
audit func=BPRM_CHECK fsname=fuse
```

I have tested that with this policy, executing a binary from a
"fuse-zip" FUSE filesystem results in an audit log entry:
```
type=INTEGRITY_RULE msg=audit([...]): file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...]
```
while executing a binary from an "sshfs" FUSE filesystem does not
generate any audit log entries.

Signed-off-by: Jann Horn <jannh@...gle.com>
---
Jann Horn (2):
      ima: add dont_audit action to suppress audit actions
      ima: add fs_subtype condition for distinguishing FUSE instances

 Documentation/ABI/testing/ima_policy |  3 +-
 security/integrity/ima/ima_policy.c  | 57 ++++++++++++++++++++++++++++++++----
 2 files changed, 54 insertions(+), 6 deletions(-)
---
base-commit: 00642a06d60c897a8348784e1eee9e5369219ce5
change-id: 20250925-ima-audit-8bd219dcc6f6

--  
Jann Horn <jannh@...gle.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ