Re: [PATCH 0/2] ima: add dont_audit and fs_subtype to policy language

Next message: Frank Li: "Re: [PATCH 4/8] firmware: imx: scu-irq: Set mu_resource_id before get handle"
Previous message: Frank Li: "Re: [PATCH 3/8] firmware: imx: scu-irq: Init workqueue before request mbox channel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jann Horn

Date: Tue Oct 14 2025 - 11:56:33 EST

Hi!

On Tue, Sep 30, 2025 at 12:23 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> On Fri, 2025-09-26 at 01:45 +0200, Jann Horn wrote:
> > This series adds a "dont_audit" action that cancels out following
> > "audit" actions (as we already have for other action types), and also
> > adds an "fs_subtype" that can be used to distinguish between FUSE
> > filesystems.
> >
> > With these two patches applied, as a toy example, you can use the
> > following policy:
> > ```
> > dont_audit fsname=fuse fs_subtype=sshfs
> > audit func=BPRM_CHECK fsname=fuse
> > ```
> >
> > I have tested that with this policy, executing a binary from a
> > "fuse-zip" FUSE filesystem results in an audit log entry:
> > ```
> > type=INTEGRITY_RULE msg=audit([...]): file="/home/user/ima/zipmount/usr/bin/echo" hash="sha256:1d82e8[...]
> > ```
> > while executing a binary from an "sshfs" FUSE filesystem does not
> > generate any audit log entries.
> >
> > Signed-off-by: Jann Horn <jannh@xxxxxxxxxx>
>
>
> Thanks, Jann. The patches look fine.

What's the next step here - are the patches going to land in the
next-integrity branch, so that they will go into 6.19?