ima: add fs_subtype condition for distinguishing FUSE instances

Linux systems often use FUSE for several different purposes, where the
contents of some FUSE instances can be of more interest for auditing
than others.

Allow distinguishing between them based on the filesystem subtype
(s_subtype) using the new condition "fs_subtype".

The subtype string is supplied by userspace FUSE daemons
when a FUSE connection is initialized, so policy authors who want to
filter based on subtype need to ensure that FUSE mount operations are
sufficiently audited or restricted.

Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index 5d548dd2c6e7cd67a777ea36d5d2ed72b91f34ed..d4b3696a9efb3ea7a67de85be30675be8bfe4e3f 100644 (file)
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -23,6 +23,7 @@ Description:
                          audit | dont_audit | hash | dont_hash
                  condition:= base | lsm  [option]
                        base:   [[func=] [mask=] [fsmagic=] [fsuuid=] [fsname=]
+                               [fs_subtype=]
                                [uid=] [euid=] [gid=] [egid=]
                                [fowner=] [fgroup=]]
                        lsm:    [[subj_user=] [subj_role=] [subj_type=]

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index c5bad3a0c43a9d8e34b90cb7cc37c5d6294dc933..164d62832f8ec116dc2643cfb5af5672f1ca3c6f 100644 (file)
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -38,6 +38,7 @@
 #define IMA_GID                0x2000
 #define IMA_EGID       0x4000
 #define IMA_FGROUP     0x8000
+#define IMA_FS_SUBTYPE 0x10000
 
 #define UNKNOWN                0
 #define MEASURE                0x0001  /* same as IMA_MEASURE */
@@ -120,6 +121,7 @@ struct ima_rule_entry {
                int type;       /* audit type */
        } lsm[MAX_LSM_RULES];
        char *fsname;
+       char *fs_subtype;
        struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */
        struct ima_rule_opt_list *label; /* Measure data grouped under this label */
        struct ima_template_desc *template;
@@ -398,6 +400,7 @@ static void ima_free_rule(struct ima_rule_entry *entry)
         * the defined_templates list and cannot be freed here
         */
        kfree(entry->fsname);
+       kfree(entry->fs_subtype);
        ima_free_rule_opt_list(entry->keyrings);
        ima_lsm_free_rule(entry);
        kfree(entry);
@@ -602,6 +605,12 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
        if ((rule->flags & IMA_FSNAME)
            && strcmp(rule->fsname, inode->i_sb->s_type->name))
                return false;
+       if (rule->flags & IMA_FS_SUBTYPE) {
+               if (!inode->i_sb->s_subtype)
+                       return false;
+               if (strcmp(rule->fs_subtype, inode->i_sb->s_subtype))
+                       return false;
+       }
        if ((rule->flags & IMA_FSUUID) &&
            !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))
                return false;
@@ -1068,7 +1077,7 @@ enum policy_opt {
        Opt_audit, Opt_dont_audit, Opt_hash, Opt_dont_hash,
        Opt_obj_user, Opt_obj_role, Opt_obj_type,
        Opt_subj_user, Opt_subj_role, Opt_subj_type,
-       Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, Opt_fsuuid,
+       Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, Opt_fs_subtype, Opt_fsuuid,
        Opt_uid_eq, Opt_euid_eq, Opt_gid_eq, Opt_egid_eq,
        Opt_fowner_eq, Opt_fgroup_eq,
        Opt_uid_gt, Opt_euid_gt, Opt_gid_gt, Opt_egid_gt,
@@ -1100,6 +1109,7 @@ static const match_table_t policy_tokens = {
        {Opt_mask, "mask=%s"},
        {Opt_fsmagic, "fsmagic=%s"},
        {Opt_fsname, "fsname=%s"},
+       {Opt_fs_subtype, "fs_subtype=%s"},
        {Opt_fsuuid, "fsuuid=%s"},
        {Opt_uid_eq, "uid=%s"},
        {Opt_euid_eq, "euid=%s"},
@@ -1284,7 +1294,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
                if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
                                     IMA_UID | IMA_FOWNER | IMA_FSUUID |
                                     IMA_INMASK | IMA_EUID | IMA_PCR |
-                                    IMA_FSNAME | IMA_GID | IMA_EGID |
+                                    IMA_FSNAME | IMA_FS_SUBTYPE |
+                                    IMA_GID | IMA_EGID |
                                     IMA_FGROUP | IMA_DIGSIG_REQUIRED |
                                     IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS |
                                     IMA_CHECK_BLACKLIST | IMA_VERITY_REQUIRED))
@@ -1297,7 +1308,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
                if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
                                     IMA_UID | IMA_FOWNER | IMA_FSUUID |
                                     IMA_INMASK | IMA_EUID | IMA_PCR |
-                                    IMA_FSNAME | IMA_GID | IMA_EGID |
+                                    IMA_FSNAME | IMA_FS_SUBTYPE |
+                                    IMA_GID | IMA_EGID |
                                     IMA_FGROUP | IMA_DIGSIG_REQUIRED |
                                     IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED |
                                     IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS))
@@ -1310,7 +1322,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
 
                if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID |
                                     IMA_FOWNER | IMA_FSUUID | IMA_EUID |
-                                    IMA_PCR | IMA_FSNAME | IMA_GID | IMA_EGID |
+                                    IMA_PCR | IMA_FSNAME | IMA_FS_SUBTYPE |
+                                    IMA_GID | IMA_EGID |
                                     IMA_FGROUP))
                        return false;
 
@@ -1597,6 +1610,22 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
                        result = 0;
                        entry->flags |= IMA_FSNAME;
                        break;
+               case Opt_fs_subtype:
+                       ima_log_string(ab, "fs_subtype", args[0].from);
+
+                       if (entry->fs_subtype) {
+                               result = -EINVAL;
+                               break;
+                       }
+
+                       entry->fs_subtype = kstrdup(args[0].from, GFP_KERNEL);
+                       if (!entry->fs_subtype) {
+                               result = -ENOMEM;
+                               break;
+                       }
+                       result = 0;
+                       entry->flags |= IMA_FS_SUBTYPE;
+                       break;
                case Opt_keyrings:
                        ima_log_string(ab, "keyrings", args[0].from);
 
@@ -2145,6 +2174,12 @@ int ima_policy_show(struct seq_file *m, void *v)
                seq_puts(m, " ");
        }
 
+       if (entry->flags & IMA_FS_SUBTYPE) {
+               snprintf(tbuf, sizeof(tbuf), "%s", entry->fs_subtype);
+               seq_printf(m, pt(Opt_fs_subtype), tbuf);
+               seq_puts(m, " ");
+       }
+
        if (entry->flags & IMA_KEYRINGS) {
                seq_puts(m, "keyrings=");
                ima_show_rule_opt_list(m, entry->keyrings);