Re: [PATCH 0/2] ima: add dont_audit and fs_subtype to policy language

Next message: Claudiu Beznea: "Re: [PATCH v2] pinctrl: renesas: rzg2l: Fix ISEL restore on resume"
Previous message: Brian Masney: "Re: [PATCH] clk: fix slab-use-after-free when clk_core_populate_parent_map failed"
In reply to: Jann Horn: "[PATCH 2/2] ima: add fs_subtype condition for distinguishing FUSE instances"
Next in thread: Jann Horn: "Re: [PATCH 0/2] ima: add dont_audit and fs_subtype to policy language"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Mimi Zohar

Date: Tue Sep 30 2025 - 06:24:00 EST

On Fri, 2025-09-26 at 01:45 +0200, Jann Horn wrote:
> This series adds a "dont_audit" action that cancels out following
> "audit" actions (as we already have for other action types), and also
> adds an "fs_subtype" that can be used to distinguish between FUSE
> filesystems.
>
> With these two patches applied, as a toy example, you can use the
> following policy:
> ```
> dont_audit fsname=fuse fs_subtype=sshfs
> audit func=BPRM_CHECK fsname=fuse
> ```
>
> I have tested that with this policy, executing a binary from a
> "fuse-zip" FUSE filesystem results in an audit log entry:
> ```
> type=INTEGRITY_RULE msg=audit([...]): file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...]
> ```
> while executing a binary from an "sshfs" FUSE filesystem does not
> generate any audit log entries.
>
> Signed-off-by: Jann Horn <jannh@xxxxxxxxxx>

Thanks, Jann. The patches look fine. Assuming the "toy" test program creates
and mounts the fuse filesystems, not just loads the IMA policy rules, could you
share it?

thanks,

Mimi