[PATCH 0/2] ima: add dont_audit and fs_subtype to policy language

Next message: Jann Horn: "[PATCH 1/2] ima: add dont_audit action to suppress audit actions"
Previous message: Thinh Nguyen: "Re: [PATCH v2 2/3] usb: dwc3: dwc3-generic-plat: add layerscape dwc3 support"
Next in thread: Jann Horn: "[PATCH 1/2] ima: add dont_audit action to suppress audit actions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jann Horn

Date: Thu Sep 25 2025 - 19:45:32 EST

This series adds a "dont_audit" action that cancels out following
"audit" actions (as we already have for other action types), and also
adds an "fs_subtype" that can be used to distinguish between FUSE
filesystems.

With these two patches applied, as a toy example, you can use the
following policy:
```
dont_audit fsname=fuse fs_subtype=sshfs
audit func=BPRM_CHECK fsname=fuse
```

I have tested that with this policy, executing a binary from a
"fuse-zip" FUSE filesystem results in an audit log entry:
```
type=INTEGRITY_RULE msg=audit([...]): file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...]
```
while executing a binary from an "sshfs" FUSE filesystem does not
generate any audit log entries.

Signed-off-by: Jann Horn <jannh@xxxxxxxxxx>
---
Jann Horn (2):
ima: add dont_audit action to suppress audit actions
ima: add fs_subtype condition for distinguishing FUSE instances

Documentation/ABI/testing/ima_policy | 3 +-
security/integrity/ima/ima_policy.c | 57 ++++++++++++++++++++++++++++++++----
2 files changed, 54 insertions(+), 6 deletions(-)
---
base-commit: 00642a06d60c897a8348784e1eee9e5369219ce5
change-id: 20250925-ima-audit-8bd219dcc6f6

--
Jann Horn <jannh@xxxxxxxxxx>